I recently spoke at the NJ-GMIS Cyber Security Briefing at New Jersey’s Regional Operations and Intelligence Center (ROIC) on approaches to reducing risk in municipal governments via third-party assessment. The presentation ended up getting very interesting when we delved into the idea of “collaborative risk management.”
Pivot Point Security has been fortunate enough to conduct hundreds of risk assessments, gap assessments and/or vulnerability assessments in the municipal government space over the last few years. The municipal government space is very homogeneous, in that organizations provide many of the same services, leverage many of the same applications, utilize many of the same vendors and are subject to mostly the same laws and regulations. This creates opportunities to leverage the data across these hundreds of engagements in new and interesting ways. For example:
- We know to a statistically relevant level the likelihood that a municipal entity has a public-facing vulnerability that can be exploited.
- We can reliably predict the likelihood of certain critical and high-level internal/external vulnerabilities based on the applications being used.
- We can reliably determine the managed IT services vendor being used by the public-facing vulnerabilities that are exposed.
- We know to a statistically relevant level the likelihood that a municipal entity has a well-formed Incident Response and/or Business Continuity Plan.
- We know to a statistically relevant level the likelihood that a municipal entity has a well-developed Vendor Risk Management program.
- We know to a statistically relevant level the likelihood that a municipal entity has a well-developed Security Awareness Training program.
This high degree of synergy provides enormous opportunities for municipal entities to work together in a collaborative manner to reduce these risks. For example, municipalities can:
- Improve the quality and reduce the cost of managing vendor risk by coordinating and sharing vendor risk reviews.
- Develop and propagate templates and shareable expertise for elements like Incident Response and/or Business Continuity.
- Coordinate bulk purchasing of key services like security monitoring or Security Awareness Education.
Driving this collaboration is the key. This could potentially be done via a state-sponsored program, an association such as GMIS International, or the government risk pools that many municipalities leverage for their insurance coverages.
We look forward to contributing…