Spend some time on LinkedIn or Twitter to observe the range of opinions about what it’s like to work in the public versus the private sector. Having done both, I can attest that there are indeed differences. There’s also a lot more overlap than social media conjecture often leaves room for.
Public vs. Private Sector
Some of the most notable differences I’ve observed around how work gets done include:
- Who is actually doing the work? Third-party contractors, consultancies, and full-time employees all contribute to the mission in different ways depending on the organization.
- The motivation and organization around speed to market and compliance attestation.
- The willingness to embrace reciprocity around security controls and compliance attestations.
Discussion of specific technical practices to secure a particular organization type is likely not very helpful because there are so many variables that should inform what the “right” or “best” approach should be. Normally, you would see articles written up about the government’s need to embrace all of the cutting-edge innovations happening in the private sector, failing fast, machine learning, everything on the blockchain, etc.
Instead, this article will explore how the private sector can leverage some practices that are more widely used in the public sector and center around security and risk management maturity, things I didn’t notice a lot of in my time spent in the private sector.
Before I get into any of these, it’s worth noting that these are my opinions and only my opinions. I’m also not suggesting that the federal government does these things perfectly. As in any organization, there’s a spectrum. I’d like for every reader to think about the spirit and intent behind the effort.
Workforce
Because work in the public sector is heavily supported by a contractor-based workforce, there are inevitably a lot of legal and procurement processes that support this dynamic.
In the private sector, the equivalent dynamic I’ve observed most frequently is the engagement of consultancies and managed security service providers (MSSPs) to support or sometimes completely handle certain functional areas. In the interest of expediency, contracting agreements cover the work to be done, the pricing, and some basic logistics.
Something government contracts incorporate, though, are performance conditions, regular program touchpoints, and more. The takeaway is a lot of mechanisms to manage performance and create accountability systems.
Balancing Speed, Security, and Compliance
Those familiar with government work will likely have strong feelings about the authority to operate (ATO) process. The ATO has many flaws. Additionally, the intention behind it oftentimes does not align with the outcomes. The ATO process is, in many ways, about intentionally pausing to make sure that you have a risk-aligned baseline is a positive thing, even if you automated the whole thing.
The oftentimes unspoken outcome of the ATO process is that it manages perceived risk. That is, risk perceived from outside stakeholders. In the public sector’s case, that might be a parent agency, the OIG, or some other leadership entity. Managing perceived risk proactively through prepared documentation, thought-through security narratives, and some form of attestation could be quite beneficial when applied in the right places in the private sector.
Security is frequently looking to position itself as an enabler within an organization. One of the core functions of most private sector organizations centers around sales and marketing. This frequently intersects with cybersecurity in vendor risk assessments. This deals, in large part, with perceived risk.
Before going live with a product, thinking through and taking action to manage perceived risk can help things move faster down the road instead of reacting.
Reciprocity
The notion of reciprocity is probably most notably present in the third-party risk management process. I have seen numerous vendor security review processes “demand” compliance attestations, such as SOC2 Type 2, but then simultaneously perform a similar audit of their own. Multiply that over many potential customers in a pipeline and the burden is very real.
FedRAMP, even though it is a bottleneck in many ways within the public sector, acts as a strong example of attestation where reciprocity in controls is taken seriously, helping short circuit the review process significantly. I would love to see private sector organizations move towards a model of either embracing third-party certifications, such as SOC2 Type 2, more readily or spending their vendor risk assessment time on activities that were not duplicative, actually managing the risk of using or integrating a given solution.
Concluding Thoughts
Neither public nor private sector is “better” than the other; they’re different. I believe it’s important that, in the spirit of open dialogue, both sides of this divide be actively seeking to improve and learn from the other.
Take the nuggets out of good practices and apply them. Take the lessons learned from bad practices and incorporate those. There is always room to improve in cybersecurity. Things are never perfect, but we don’t get better unless we challenge the status quo.
Want more cybersecurity insights? Visit the Cybersecurity channel:
