With the intense focus on cybersecurity today, people are frequently asking how information security is addressed in the private versus the public sector. The reality is that the lines between both have become blurred by the growth in the number of public/private partnerships and the increased level of outsourcing occurring with security services and functions.
Most federal, state and local governments no longer develop IT products but depend heavily on the private sector to develop, deploy and manage information security products and services. Public and private sector entities are sharing and using commonly available human and technology resources, creating an explosion of expertise crossing between both sectors.
Equal Opportunity Targets
Conclusions regarding the state of security in the private versus public sector cannot be made based on network attacks or security breaches because many private sector organizations do not publicly disclose such information. While available information should be viewed as an anecdotal indicator, a sampling of security incident data tells us that neither sector has been spared from significant breaches. In the private sector, examples include the following, but the list goes on and on:
- More than 45 million credit and debit cards used at two major retailers were exposed.
- An unencrypted backup tape with 4.5 million bank customers’ Social Security numbers and account information was misplaced while being sent to a storage facility.
- 4.2 million customer card transactions from a grocery chain were compromised by hackers, with hackers creating 1800 fraudulent credit card transactions.
- A ski resort was hit by hackers who installed malicious software to capture credit card data as it was being processed at the resort.
Any organization delivering products and services where proprietary or personal information is at risk understands that security is an issue. The difference is in how they approach implementation and interpret and respond to existing security laws and regulations.
| "The mantra ‘I choose to accept the risk’ may resonate more often in the private sector, where management tends to have more autonomy than in the public sector" |
Neither sector has been spared from Congress’ attempts to address information security deficiencies through legislation. Hence, we’ve seen a wide array of measures passed to enhance the state of security in such laws as the Federal Information Security Management Act (FISMA), which not only addressed federal agencies but all organizations acting on behalf of those agencies; the Sarbanes-Oxley Act (SOX), which was enacted to address corporate scandals affecting millions of Americans and undermining confidence in the country’s security markets; the Health Insurance Portability and Accountability Act (HIPAA), which focuses on safeguarding health information; and the Cybersecurity Enhancement Act, still pending, which encourages more collaboration between the federal and private sectors. Looking at the following areas may offer insight as to where both sectors stand.
Recruiting the Infosec Workforce
A skilled workforce is critical to the success of any security program. Historically, the public sector has lagged behind the private sector in its ability to compete for skilled professionals.
Today, with the economic downturn, state and local government budgets have been hit hard, limiting their ability to compete in the information security job market. However, the picture for the federal government is changing. A recent USA Today article noted:
At a time when workers’ pay and benefits have stagnated, federal employees’ average compensation has grown to more than double what private sector employees earn, a ‘USA Today’ analysis finds. Federal workers have been awarded bigger average pay and benefit increases than private employees for nine years in a row.The compensation gap between federal and private workers has doubled in the last decade.
Federal employment has become more appealing to those looking for stability and better benefits in uncertain economic times. While the private sector may remain the employer of choice, the federal sector is closing the gap. Other incentives employed by public institutions include the paying of hiring bonuses to overcome salary disparities and subsidization of costs toward advanced degrees, security certifications and other professional credentials.
Risk-based Decision-making
Public sector security strategy is seldom profit-driven because most government organizations provide free services and products. Security is almost exclusively driven by interpretation of best practices, availability of IT products and budget availability.
Chief information officers (CIOs) and chief information security officers (CISOs) must tie funding needs to business goals and objectives and consider the influence of audit staffs that review and assess how well their security programs are working. Major drivers include minimizing of audit findings, avoiding a negative public perception and steering clear of criticism by high-level oversight bodies – such as Congress – that can withhold funding.
"Federal workers have been awarded bigger average pay and benefit increases than private employees for nine years in a row" |
The private sector holds an additional level of responsibility in answering to shareholders who require that the company shows a profit and retains a customer base. These are generally ‘non-issues’ in the public model. With a customer base typically pre-defined and options of moving to other service providers limited, cost considerations, risk acceptance and risk avoidance may be weighted differently. The mantra ‘I choose to accept the risk’ may resonate more often in the private sector, where management tends to have more autonomy than in the public sector.
Consistency of Security Control Implementation
Security laws and regulations establish the framework for ‘best practice’ and ‘due diligence’ within both sectors. Laws such as HIPAA, SOX and FISMA are supported by a catalogue of practices developed by private and public sector participants in collaboration. Much work has been done as a collaborative effort on the development of voluntary standards specific to various security areas, such as encryption. The Payment Card Industry Data Security Standard (PCI DSS) is an example of such joint efforts that includes universally available standards.
| "Federal employment has become more appealing to those looking for stability and better benefits in uncertain economic times" |
Many IT security products used by both sectors must be certified by private, independent laboratories that use government or other standards resulting from public/private collaborations. These include the International Organization for Standardization (ISO) and the American National Standards Institute (ANSI), which help foster consistency of security implementations in both sectors. Some of the variables that may differ include:
- Specificity of testing
- Intensity of oversight
- Scope of reporting requirements
- Assessment procedures employed
Unfortunately, comprehensive data in the aforementioned areas for both sectors is incomplete or unavailable.
Walking Hand-in-Hand
Both sectors have made progress, much of which is driven by a more security-savvy public. Having greater access to the internet, consumers today are more aware of security issues – such as identity theft, spam, and phishing – than ever before. Anecdotal evidence tells us, however, that greater awareness and increased effort is needed.
Lines of separation between the two sectors are becoming increasingly blurred. In the future, the appropriate question may well be: Why distinguish between public versus private sector security? We’re all in this together.
| Members of the (ISC)² U.S. Government Advisory Board Executive Writer’s Bureau include federal IT security experts from government and industry. Visit the (ISC)² website for a full list of Bureau members.. |