Government agencies are urging their technology leaders to re-think their approach to protecting their systems and data, which raises the critical question: Given limited resources and constantly evolving threats, how should agencies determine where to invest their resources to address their most critical threats and most effectively manage their risks? The answer lies in the program’s ability to proactively assess and take ownership of their risks, as well as their ability to build and maintain a cybersecurity workforce trained in the most current cybersecurity tools and techniques.
Creating an Approach to Proactively Assess, Own, and Mitigate Technical Risk
System owners and program managers should approach their cybersecurity programs with reality in mind: their systems are vulnerable and cyber threats are constantly evolving. Since security resources are finite, agencies must implement proactive plans to identify and prioritize their cyber risks, enabling a clearer picture for how resources should be spent to mitigate them.
The adoption of the NIST Risk Management Framework (RMF) across the Federal Government over the last several years was meant to help agencies with the identification and prioritization of risks, along with forcing the development of plans of action and milestones (POA&Ms) associated with identified risks. While RMF has undoubtedly introduced a higher level of security control, several factors (e.g., more controls to address often without more resources to address them) have led to this implementation at times becoming another “compliance drill” – often allowing both new and existing system vulnerabilities to remain unmitigated, or worse unidentified, creating critical risk of intrusion and compromise.
RMF has also unintentionally created incentives to shift risk ownership to other organizations (e.g., minimizing the number of security controls that must be addressed and tested by the system owner organization for a perceived, but often unrealized cost savings). System owners and their cybersecurity teams know their systems better than anyone, therefore system owners should look to own and manage as many of their system risks as possible, as they are best positioned to both understand the impacts of the vulnerabilities, as well as develop the most effective mitigation strategies.
The introduction of RMF has also unintentionally created the requirement for unmanageable numbers of policies and processes which are often enforced inconsistently due to lack of oversight resources. Identifying and implementing technologies and automated solutions which implement and enforce such policies and processes will inherently make programs more secure.
Proactive Workforce Transformation and Continuous Training
A large portion of money allocated for IT in Federal agencies is often spent on Operations and Maintenance (O&M). Federal agencies and their program owners often also find themselves in need of substantial security improvements to protect their systems, but lack the resources to do so. While some O&M money is focused on cybersecurity tools, technologies, and resources, often much of it is spent on manual system maintenance activities. As artificial intelligence (AI) continues to emerge, agencies should re-look at such manual O&M processes and identify ways to automate such tasks, thereby enabling the re-allocation of resources to focus on mitigating critical cybersecurity threats.
A common theme of resistance to the implementation of automated technologies to complete tasks historically completed by humans is the view that jobs will be lost as artificial intelligence (AI) expands. To mitigate this view, forward-thinking and proactive system owners and managers should take time to talk with their employees about cybersecurity training opportunities, and helping them understand that as cyber threats continue to evolve, the demand for trained cybersecurity experts who can identify them will only increase. The role of, and demand for humans in the field of cybersecurity is only expected to grow – this is an opportunity for team members to advance their careers, and many agencies and companies have robust, paid, training programs in place to support the demand in this industry.
Lastly, but most importantly, it is imperative that Federal agencies re-focus on the human element of cybersecurity. System users and managers alike often fall into the trap of complacency, believing their systems are secure and their data hasn’t been, or is unlikely to be compromised. The easiest targets for system breaches are people who create risk by not following the most basic security guidelines like frequently changing passwords, creating passwords that can’t be easily guessed, and connecting and working on unsecure networks. According to a recent industry study, the average cost of a data breach is $3.9M, not to mention second- and third-order impacts that can manifest themselves over longer periods of time. It is critical that system owners implement concise, targeted and current cybersecurity training programs with the goal of creating and incentivizing a more proactive and vigilant cyber workforce.
Transforming Critical Challenges into Great Opportunities
Despite these enormous challenges, there are great opportunities for Government agencies with forward-looking attitude and ambition. Cyber strategy that highlights adopting the latest cybersecurity technologies combined with a robust workforce adoption and transformation program are critical starting points. Government agencies need to remain at the forefront of IT security in order to protect our national security. We’re committed to enabling Smart Government™ by supporting digital transformation solutions that defend government agencies from cyber threats.
Learn more about how we help civilian, defense and intelligence agencies mitigate risk through security technologies and processes that extend protection and management controls across the expanding digital environment.
Written by Scot Stitely