Talent, culture, cybersecurity and data privacy represent top risk issues for public sector organizations

Commentary - Public Sector Industry Group

In assessing the global risk landscape for public sector organizations in 2023 and 2032, familiar themes emerge: talent and the future of work, culture, cyber threats and data privacy.

The top risk issue in the public sector for 2023 is succession challenges and the ability to attract and retain top talent, while the second-ranked risk issue for these organizations is anticipated increases in the cost of labor. These are ongoing concerns for public sector organizations, as they compete with the private sector for talent and skills, particularly those required to drive innovation programs and technology transformation.

Interestingly, economic conditions potentially restricting growth opportunities are ranked in the top five risk issues for public sector organizations for 2023, even though federal, state and local public sector entities tend to be less affected by economic cycles. That said, the coming year appears to present potential challenges that public sector leaders do not see 10 years out, as economic conditions are not in the top 10 list of risks for this period.

Public sector leaders also expressed concerns about uncertainty in core supply chain ecosystems as well as organizational resilience and agility to manage an unexpected crisis. Because public sector agencies purchase large quantities of products and services, these understandably are significant issues. Supply chain and resilience challenges are of particular concern as they relate to IT and operational technology hardware and software.

Beyond these challenges, prevalent themes in the top risks for public sector organizations in the coming year as well as the next decade include cybersecurity, privacy and third-party risk. There are a number of important factors at play here that are driving these concerns. First, in the United States, the U.S. Government Accountability Office (GAO), in its latest cybersecurity guidance, notes that the federal government needs to elevate the nation's cybersecurity as the country faces grave and rapidly evolving threats.

Although the federal government has made some improvements, it needs to move with a greater sense of urgency commensurate with the rapidly evolving and grave threats to the country. Specific recommendations include the following:

• Establish a comprehensive cybersecurity strategy and perform effective oversight. In September 2018, the U.S. administration delivered a national cybersecurity strategy, followed by an implementation plan in June 2019 that details the executive branch's approach to managing the nation's cybersecurity. In September 2020, GAO reported that the national strategy and implementation plan addressed some, but not all, of the desirable characteristics of national strategies, such as goals and resources needed. The current administration needs to either update the existing strategy and plan or develop a new comprehensive strategy that addresses those characteristics. GAO also highlighted the need to define a central role for leading the implementation of the national strategy. In January 2021, the U.S. Congress established the Office of the National Cyber Director within the Executive Office of the President. Although establishing this position is an essential step forward, critical risks remain within supply chains, workforce management and emerging technologies. For example, in December 2020, GAO reported that none of the 23 U.S. government agencies in its review had fully implemented key foundational practices for managing information and communications technology supply chains.

Prevalent themes in the top risks for public sector organizations in the coming year as well as the next decade include cybersecurity, privacy and third-party risk.

• Secure federal systems and information. The U.S. government has made some progress in securing systems. Nevertheless, federal agencies continue to have numerous cybersecurity weaknesses, due in large part to ineffective information security programs. Further, cyber incidents increasingly are posing a threat to government and private sector entities. The gravity of the threat was reinforced by the December 2020 discovery of a cyberattack that has had widespread impact on government agencies, critical infrastructure and the private sector. In 2019, GAO reported that most of the 16 agencies reviewed had incident response processes with key shortcomings, thereby limiting their ability to minimize damage from attacks.
• Protect cyber critical infrastructure. Critical infrastructure in the United States involves both public and private systems vital to national security. Since 2010, GAO has made nearly 80 recommendations to enhance infrastructure cybersecurity; for example, GAO recommended that agencies better measure the adoption of the National Institute of Standards and Technology (NIST) framework of voluntary cyber standards and correct sector-specific weaknesses. However, most of these recommendations (nearly 50) have not been implemented. As a result, the risks of unprotected infrastructures being harmed are heightened. Without question, this is a global challenge. In Australia, for example, the Security of Critical Infrastructure Act 2018 requires owners and operators of critical infrastructure to take steps to safeguard vital assets. The Act subsequently was amended to broaden the scope of industry sectors, through a combination of The Security Legislation Amendment (Critical Infrastructure) Act 2021 and The Security Legislation Amendment (Critical Infrastructure Protection) Act 2022. These two legislative reforms form the Commonwealth framework for critical infrastructure protection, as well as legislated last resort powers in the event of a catastrophic cyber security incident.
• Protect privacy and sensitive data. The U.S. federal government and private sector have struggled to protect privacy and sensitive data. Advances in technology have made it easy to collect information about individuals and ubiquitous internet connectivity has facilitated sophisticated tracking of individuals and their activities. The vast number of individuals affected by various data breaches has underscored concerns that personally identifiable information is not being protected adequately. GAO's reviews of agency practices to protect sensitive data have identified weaknesses and have resulted in numerous recommendations for agencies such as the U.S. Department of Housing and Urban Development, U.S. Department of Education and U.S. Internal Revenue Service.

About the Executive Perspectives on Top Risks Survey

We surveyed 1,304 board members and executives across a number of industries and from around the globe, asking them to assess the impact of 38 unique risks on their organization over the next 12 months and over the next decade. Our survey was conducted online in September and October 2022 to capture perspectives on the minds of executives as they peered into 2023 and 10 years out.

Respondents rated the impact of each risk on their organization using a 10-point scale, where 1 reflects "No Impact at All" and 10 reflects "Extensive Impact." For each of the 38 risks, we computed the average score reported by all respondents and rank-ordered the risks from highest to lowest impact.

Read our Executive Perspectives on Top Risks Survey for 2023 and 2032 executive summary and full report at www.protiviti.com/toprisks or http://erm.ncsu.edu.

1. Each respondent rated 38 individual risk issues using a 10-point scale, where a score of 1 reflects "No Impact at All" and a score of 10 reflects "Extensive Impact" to their organization. For each of the 38 risk issues, we computed the average score reported by all respondents.

Advances in technology have made it easy to collect information about individuals and ubiquitous internet connectivity has facilitated sophisticated tracking of individuals and their activities. The vast number of individuals affected by various data breaches has underscored concerns that personally identifiable information is not being protected adequately.