Presented by EY
EY Cybersecurity Principal Rob Brougham outlines a three-part strategy to help government organizations stay ahead of a rapidly shifting cyber threat environment: know your environment, simplify and prioritize, and validate everything.
According to Brougham, today’s landscape is defined by constant change and resource scarcity. Zero-day vulnerabilities—unknown weaknesses that are exploited before a fix is available—emerge daily, while federal agencies face tighter budgets and smaller teams. “It’s a very difficult time right now,” he noted.
Understanding the threat environment begins with internal and external awareness. Internally, agencies need continuous monitoring of their IT and operational technology assets, as well as tight control over identity and access management. “Do they still have access after they’ve changed jobs?” Brougham asked, highlighting a common oversight.
Externally, threat intelligence is key to knowing what adversaries are doing and adapting defenses accordingly. It’s not just about internal controls—agencies must also assess the risks posed by suppliers and third-party vendors.
Simplification is equally important. Government IT environments are often complex and cluttered with legacy systems. One solution, Brougham said, is to build secure environments through DevSecOps—where security is embedded in development from the start. “If I want to build a system, I bring my data and identities into a secure environment where all the controls are already in place.”
Prioritization must also be refined. Agencies using the NIST Risk Management Framework often treat all controls as equally important. Brougham urges a shift away from checkbox compliance toward impact-based prioritization—focusing on controls that matter most to mission success.
Lastly, validation is essential. “Trust nobody and verify everything,” Brougham said. Too often, agencies rely on “feelings-based assessments” rather than hard data. Instead, he advocates for technical assessments that look under the hood of systems to verify configurations, close vulnerabilities, and confirm that remediations have worked.
In essence, Brougham’s message is that resilience lies not just in controls, but in culture: a mindset of constant vigilance, strategic focus, and rigorous validation.
Key Takeaways:
-
Threat intelligence, identity access control, and continuous monitoring are foundational to cyber awareness.
-
Simplification through secure-by-design environments and DevSecOps can streamline protection.
-
Validation requires technical, not just subjective, assessments to ensure defenses are effective and up-to-date.