News that the Biden-Harris team seeks congressional approval for an enormous spending plan that includes some $9 billion for IT and cybersecurity and also just named a federal chief information security officer (CISO) offers some welcome hope.
Underfunded federal agencies are long overdue for an upgrade to modernize technology infrastructures and safeguard sensitive data. There have been some very worrying breaches in federal government that have exposed personal data –most recently the SolarWinds hack – and it’s an urgent issue.
While it’s positive news, it will take more than money to overcome the challenge of creating effective, cyber-secure shared services at the federal level.
For the administration to succeed, it must truly empower Chris DeRusha, the new federal chief information security officer (CISO), and give him the power to foster cross-agency collaboration, forging strong partnerships with the private sector without fear of political or partisan backlash. Only then can the new CISO conduct a thorough risk assessment across the government to determine where and how to best allocate funds. Here are five points for DeRusha and his team to consider moving forward:
- Bring the federal government together.
Think of the federal government as a patchwork quilt, it's made up of lots of different fiefdoms. It’s quite a challenge for a federal CISO to knit these groups together. How can DeRusha enable true collaboration across that environment? It will take skill and persistence to foster meaningful collaboration in such a political environment, but it’s a worthy goal.
There are enormous potential benefits to true collaboration across federal agencies on data sharing, identity management, collaboration tools, shared security, and cloud computing. DeRusha will need strong backing and real power to effect change. He must start by figuring out where and how to most effectively spend the money in an environment often best known for waste than frugality.
- Run an in-depth risk assessment.
DeRusha must step back and take the time to understand the root cause of problems that have traditionally prevented IT and cyber effectiveness. It’s a massive task. Start by conducting a risk assessment across the entire federal corporate estate. Where are the weaknesses? Where are the major risks? Protect the most valuable assets first and focus on where the government needs to spend with an eye to the future. That means shared security and cloud computing, it means edge computing, it means drilling into all of the ways in which data gets shared across that federal minefield.
The new CISO will also need to educate. Simply allocating what some may see as an eye-watering amount of money to the security challenge does not guarantee security, because breaches will persist. As every security professional knows, 100 percent foolproof security doesn’t exist. It’s a fool’s dream, which feeds into the need for robust recovery plans and proper incident response, better known as resiliency. In the end, resiliency will determine DeRusha’s success and it’s the goal we should measure.
- Develop alliances with top talent.
While the administration plans to request $200 million specifically to hire more IT experts and cybersecurity professionals, the cyber skills shortage has become a major obstacle. Government needs to look at ways of attracting talent. It needs to spread some tentacles into the industry; to sponsor university and college programs, specifically target institutions that invest in future technologies, such advanced artificial intelligence and examine ways to apply it effectively.
DeRusha must remain pragmatic. It will take time to build these programs and attract the best people. Looking at some of the companies that boast the storehouse of top talent today, it’s unlikely that skilled IT and cyber talent will depart flourishing careers in the private sector to work for the government. On the other hand, government can build true private-public alliances and partnerships with the smartest businesses in the cyber industry to gain fruitful access to those rare skill sets.
- Focus on supply chain and third-party risks.
Securing federal agencies are only part of the puzzle. A significant proportion of breaches can be traced back to third-parties. Cyber-criminals and state sponsored bad actors are adept at probing for the path of least resistance and gaining access laterally through a third-party. We must allocate money to secure the supply chain and to assess third-party risks. Where does the most important data reside, who provides it, and how does it get used? This will need to include outreach not just across the federal government, but also across state and local agencies, which often deliver the data that feeds the federal machine.
We should fund the weakest areas based on the federal government’s risk appetite. That will require staffing and much tighter security around cloud and shared services. Once again, fabric-level collaboration will remain important.
- Invest in security awareness and strive for privacy.
President Biden wants to have a positive impact on our cybersecurity challenges, but there’s a lot of geopolitical uncertainty and instability, and there are major societal risks at home. There’s been a lot of investment around the world into monitoring technologies, trying to anticipate what people do and how they use data. The pandemic has fueled this data gathering to levels never seen before, especially for medical research and societal management. Privacy has become a major issue that we must handle sensitively and appropriately. We also need to stop assuming that security revolves around technology and understand the role that people play in securing systems. Education and security awareness will need constant funding until we reach the point where the public accepts security as an integral component in everything we do.
But let’s put the challenges aside. There’s an opportunity here to gather people together both within the federal government and across the business community to foster real partnerships – not for political ends or to further their own organizations – but for the good of society. Cybersecurity should sit at the core of any government agency tasked with handling personal and sensitive data.
Data will continue to power cross-societal federal initiatives, but we must handle that data with care, sensitivity and responsibility. And that will require leadership and collaboration across party lines and public/private partnerships. This higher awareness of the need for a social conscience, for business to give back with security viewed as the driving force, could mesh well with President Biden’s message of national unity.
While there’s much work ahead, the cybersecurity industry has good reason to feel optimistic about the future.
Steve Durbin, chief executive officer, Information Security Forum