Skip to main content

The Importance of Bridging the Public/Private Industry Gap

February 25, 2011

Every so often we read articles that speak of public/private industry collaboration toward best practices in the field of cyber security. We hear of working groups, industry forums, training and collaboration, and even private industry executives testifying before congress regarding their experiences. But after all the hoopla and posturing, it seems all parties return to their corners and go back to doing what they do best. In the private sector, it’s typically a continuous balance of making risk-based decisions consisting of implementing appropriate controls for the value or criticality of the systems containing the organization’s information. Yes, there is an element of compliance in many cases, but ultimately the decision always comes down to a financial calculation of what is at risk and what a company should spend to mitigate that risk.

In the public sector, checklist-based compliance mandates focusing on one-size-fits-all policies such as FISMA, DIACAP, and NIST guidelines are the norm. Years and years of ongoing point-in-time assessments are performed over and over again, only to reveal patching deficiencies and existing exploits that should have been captured and considered as part of any best practices cyber program. The difference is that the public sector is motivated and managed by getting checks in the compliance boxes, and public sector cyber providers are motivated by keeping proverbial “butts in the seats,” rather than receiving compensation for providing leading-edge solutions and real-time sustained decision support. In fact, many government contractors shy away from efficiency and automation because it can reduce the precious recurring revenue stream that results from mundane FISMA and other compliance audits. Pointing out agency vulnerabilities always creates sufficient fear-factor to maintain the status quo.

The bottom line is that commercial contractors who protect large financial services, energy, transportation, health care and other critical commercial infrastructures are better incented by their commercial clients to provide innovation, speed to implementation, and enhanced cyber solutions. Multi-national banks have all the same confidentiality, integrity, availability, and accountability issues as the majority of government agencies. And yes, multi-national banks have deep pockets as well. But, they do not have the luxury of getting it wrong. One data breach can cost millions in direct financial loss, brand degradation, and loss of paying customers and investors, and might result in total failure. So, multi-national banks pay for security providers to deliver the best solutions, at the fastest speed, and always balance risk versus budget during the process. The public sector can learn a lot from this model. Not so much from what is the new or hot technology, but rather from leveraging innovation, speed, and performance from the best practices and efficiencies learned in the private sector.

There are certainly government contractors who provide cyber innovation and can view themselves among the best security professionals in the world. But unfortunately there are far too many that are content to source bodies and perform mundane certification and accreditation tasks. For evidence of this point, one need only look at why so many large government agencies still struggle to even understand the most basic nuances of their network, let alone really make effective risk-based decisions. Is it the internal agency politics? Or is it that government agencies simply make it too easy and profitable for government contractors to put and keep “butts in seats”?

Related Blogs

August 17, 2015

What Makes Organizations Resilient and Why You Should Care

Information systems are inherently fragile. Operating systems and applications are very complex machinery, and considering how many changes (such as s...

See Details

October 02, 2012

Retail Industry Information Security Trends | Optiv

As it has been the last several years, security in retail is primarily driven by the need to be PCI compliant. Secondary security drivers are privacy ...

See Details

April 19, 2013

Information Security Industry Acronyms | Optiv

Information Security is one of the fastest growing industries because of organizations' requirements to protect their data. To help those individuals...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.

Privacy Policy

Related Insights

July 21, 2015

Network Security Solutions

Learn how we help protect your environment while maintaining connectivity.

See Details

July 21, 2015

Data Security Solutions

Learn how we can help secure your date throughout its lifecycle.

See Details

August 31, 2017

Professional Security Training

Learn how Optiv can help address cyber security resource gaps with a streamlined methodology for hiring and training.

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.


Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cybersecurity Events in your area.