The phrase “take a lesson from the government” usually elicits a humorous response. Most wouldn't expect that any federal agency would be ahead of corporate America on just about anything. But when it comes to cyber security, businesses can learn some things from the military.
The biggest problem with corporate information security programs and policies is the lack of standardized processes, uniform control points and comprehensive testing. It's not a desire to be negligent. Rather, IT departments are often just overworked and understaffed. However, the end result can be significant lapses in security that hackers can leverage to their advantage.
It is for these reasons that the Department of Defense (DoD) Information Assurance Certification and Accreditation Process (DIACAP) came to be. And, commercial enterprises can use it as a guide to set up their own methodologies. The program sets out an agency-wide formal and standardized set of activities, security-related roles and tasks, and management structure for the certification and accreditation of a DoD network, system, site or application in order to maintain an appropriate information assurance status throughout its lifecycle.
Here's the teaching point: While corporate America's version need not be as bureaucratic and expensive as DIACAP, putting its systems through a standardized documentation, testing and certification process will ensure adherence to an appropriate information assurance posture. What's more, businesses don't have to reinvent the wheel. Technology companies that have extensive experience in assisting military commands with this problem can be of significant value to expediting such programs in-house on a concrete budget and without burdening already thin internal resources. Make no mistake, though, the need to begin this type of initiative is immediate and critical.