President Biden’s budget proposal is a step in the right direction, but debate continues around whether
            it’s big enough and where the dollars are going. That’s where intention gives way to results.


            Getting back to basics

            Hackers don’t need brute-force tactics to break into network and data assets: they can, and often do,
            login with stolen or compromised credentials. They exploit weaknesses in third-party software. They even
            con employees into doing the dirty work for them. Government agencies are rightly focused on decreasing
            these risks, reducing technology complexity, achieving better compliance, and doing whatever else it
            takes to prevent sensitive data breaches.

            But that’s not enough. Agencies must first understand what lives in their own environments: What are
            their IT assets? How many devices connect to their agency? How many servers? What’s on the network?
            What’s in the cloud? What tools are configured on devices and other endpoints? Are the tools configured
            correctly? Can they see absolutely everything in their environments and make real-time changes with up-
            to-the-second data?

            If there’s even a whiff of uncertainty about the number of assets or the software that runs on them, tech
            leaders must perform a comprehensive risk assessment. There’s no way to protect what you don’t know
            you have, so teams must inventory and validate all IT and security assets.

            It may help to keep in mind that 79 percent of organizations recently surveyed report widening visibility
            gaps in their cloud infrastructure, while 75 percent found the same problem across end-user and IoT
            devices. Similar gaps exist across federal, state, and local agencies, making it imperative for them to
            know their assets intimately — including every piece of software that runs on them at any given point in
            time.

            After an agency has absolute clarity into its assets, the next step is to secure all its endpoints, whether
            laptops, PCs, or virtual machines in the cloud, using prevention-first solutions. If agencies approach
            cybersecurity like much of the private sector does, focusing on detecting and responding to threats, or
            trying to overcome basic deficiencies with tools, they will not keep their endpoints or their data secure.
            An ounce of prevention is worth a pound of cure.



            The final step, after an agency has identified and inventoried all its assets, is to continuously maintain a
            clean, secure environment — and that means creating a process for updating software and deciding
            who’s responsible for installing patches, for running vulnerability scans, and for determining how issues,
            once discovered, are remediated.



            There  are  an  average  of  50  common  vulnerabilities  and  exposures  discovered  every  day.  Software
            developers  are  constantly  updating  their  code,  which  means  that  annual  or  even  quarterly  scans  of






                                                                                                              93