Cybersecurity is a huge topic that can be complex and hard to pin down. Risks and remedies continue to evolve as technology does which is why it’s fertile ground for myths to grow.
Here are some of the most common myths about cybersecurity in government: | Myth | Truth | | — | — | | One-time security measures are sufficient. | Maintaining cybersecurity is an ongoing process that requires continuous monitoring, updates and adaptions to new threats. | | Only the IT department is responsible for cybersecurity. | Cybersecurity is everyone’s responsibility, including non-technical staff who may be susceptible to phishing attacks and need regular reminders. | | Government systems are inherently secure because of regulations. | Having compliance standards does not automatically mean systems are fully protected. | | All security threats come from external players. | Whether from malicious intent or unintentional mistakes, internal staff can also pose a risk. | | Adding security slows down development and innovation. | It doesn’t have to…! |
This last myth can lead to security being an afterthought rather than a core part of the development lifecycle. What tends to happen, especially in waterfall-style project management, is that we do one, big, all-encompassing review of security as a final check before go-live.
There are many potential downsides to this approach, for example, there’s a tendency that product releases are delayed by multiple security hurdles, or that a single-point-in-time check overlook evolving threats.
Embracing a proactive approach, like DevSecOps can play a vital role in maintaining layers of security.
DevSecOps (an abbreviation of development, security and operations), is a practice which encourages a ‘security as code’ culture, where security is treated as an integral part of the development process, not as an afterthought.
The team that supports this portal has adopted a DevSecOps approach and we seek to integrate security practices at every stage of the our development lifecycle. If you’d like to know more, see our post called, How we protect our code.