How effective are public-private partnerships?

Ninety-three percent of cyber decision-makers say public-private partnerships are vital to national defense, but only 34 percent believe they are very effective, according to a study from MeriTalk and RSA Conference.

When asked to grade current efforts, cyber decision-makers give public-private partnerships “C’s” for coordinating incident response, protecting critical infrastructure, and identifying systemic risk – one of the biggest threats they see to national and economic security.

The study – which surveyed 100 Federal and 100 private sector cybersecurity decision-makers – found that data privacy concerns and trust issues hold public-private partnerships back. Ninety-two percent of organizations are actively sharing information with partners, yet 43 percent of organizations feel it is more common for the private sector to share threat information with the government than the other way around. The study found 69 percent of cybersecurity decision-makers say there is reticence in their organization around cybersecurity information sharing.

Most agree a government-led partnership is the way forward, but there is little consensus on the best approach. The ideal ways for public and private organizations to work together to reduce cyber risk are – a government-led committee of private and public cybersecurity leaders (29 percent), government-issued directives for both public and private organizations (21 percent), a private organization-led committee of public and private cybersecurity leaders (20 percent), and both sectors working individually, only sharing information that is believed relevant (23 percent).

Private sector decision-makers significantly prefer a government-led committee (35 percent to 22 percent), while public sector decision-makers significantly prefer for both sectors to work individually (30 percent to 15 percent).

“Improving communication and trust between the public and private sectors is key to reducing cybersecurity risks,” said Nicole Burdette, principal, MeriTalk. “From MeriTalk’s perspective at the heart of government IT, it’s gratifying to see cyber decision-makers say President Biden’s Cybersecurity Executive Order prompted their organization to review internal processes and rethink the way they collaborate with public and private sector partners.”

“It’s encouraging that the data illustrates a general appreciation and respect for public-private partnerships and the role they play in reducing cyber risk. Given the increase in cyberattacks worldwide, it’s critically important for public and private sectors to find common ground, create a sustainable blueprint, execute on sharing information across the ecosystem, and make these partnerships work,” said Linda Gray Martin, VP, RSA Conference.

“With this research, RSA Conference 2022 next month, and ongoing conversations with information sharing groups, RSA Conference will continue to serve as a place for the exchange of ideas and sharing of information across both sectors.”

Going forward, 95 percent say improved information sharing will provide critical insight in an interconnected world and 97 percent feel successful public-private partnerships are key to their organization’s cyber resilience. The report recommends public and private sector cyber decision- makers mend the gap by:

• Clarifying leadership and responsibilities – starting with a unified strategy that bridges both sectors
• Making information sharing a two-way street – restructuring reporting procedures and appointing a single point of contact to streamline communication
• Building trust – solidifying data privacy expectations and considering mutual trust agreements to combat hesitancy
• Thinking holistically – modernizing legacy systems, adopting identity strategies, and implementing zero trust architectures to strengthen joint resilience