I'm convinced that because of the critical infrastructure and services provided by the (poorly-protected)public sector, the potential impact of disruption, and the lack of affordable solutions for monitoring and response, there is a need that has to be filled. I can say with some authority that private sector managed security providers don't prefer this market (underfunded, biennial budgets, government procurement rules, long sales cycle, etc.), yet the criticality remains and risk grows with time.
In my view, this is something that should be provided as a service - not necessarily by government, but by a consortium of government (because of infrastructure protection), academia (because research and workforce development), and other stakeholders. There's more to this than I can write up in this blog, but suffice it to say that there is a goodly amount of enthusiasm in a number of states for replicating this model, and there will soon be a white paper released that says as much.
So here's my point. Rather than doing marketing, outreach and "sales" to acquire "customers", why couldn't the whole thing be done through public disclosure? Granted, this tactic wouldn't make any friends (at first), but hear me out. Many in WA know about the public disclosure requests for EVERY PUBLIC RECORD from EVERY JURISDICTION in King County. You may also know that a precedent in Jefferson County established that, yes, firewall logs are subject to public disclosure. You may also know that this is a big open data state, and we actually encourage (for the most part) publicly-available data for transparency, and to avoid the expensive public disclosure dance.
So why not request all firewall logs from all public entities in the state, for the purpose of mining for security events and communicating that information back? I think this would be legal in at least our state, and would be a way to create disruptive change that moves the needle.
Nothing changes by doing the same thing over and over, and right now that's what we are collectively doing. Managing by landmine, rather than taking steps to get in front of the problem. I'd like someone to tell me why this wouldn't work. I think it bears discussion.