“Actionable Cybersecurity” – A Key Strategy for Government and Industry CIOs
Federal Chief Information Officers, like their private sector CIO counterparts, lead the integration of information technology and organizational strategy. CIOs must balance the daily needs of operational IT across their enterprise with how IT can contribute to longer term mission goals, while at the same time overseeing policy and resources for IT in a challenging fiscal environment. U.S. Government CIOs are also in the midst of working with their c-suite colleagues to implement the Federal Information Technology and Acquisition Reform Act (FITARA), which strengthens the role of CIOs in budgeting and acquisition and fosters a governance framework for IT, functional, and mission leaders across agencies.
Given the expanding role for CIOs to help drive IT toward addressing key mission objectives, the Center for The Business of Government hosted a CIO Leadership Forum with several dozen public and private sector IT and c-suite leaders earlier this summer. This non-attribution session promoted candid dialogue across government and industry for how CIOs can best drive change in their organizations, in three specific domains:
- Modernizing IT given aging infrastructures, leveraging the rapid growth in modern cloud, analytic, and cognitive platforms;
- Making cybersecurity actionable, rather than compliance-oriented; and
- Capitalizing on the revolution in mobile computing, which has been the source of great advances in how citizens and governments interact anywhere and anytime.
This third of several posts addressing key points arising from the CIO Leadership Forum will focus on the second issue, actionable cybersecurity. (See the introductory blog.) Highlights from the Forum discussion follow.
Get Ahead of the Threat
- Forum participants agreed that Government and industry cannot simply react to threats anymore – agencies and companies need the capacity to predict where threats will occur, and respond in real time to threats that change shape every hour of every day. DHS’ Continuous Diagnostics and Mitigation (CDM) program provides a sound tool for agencies to leverage in monitoring and addressing incidents.
- Responses must be executable in practical ways based on security built into solutions as the default setting, such that when the default is compromised, enterprises can take immediate actions.
- Government and industry must work together to build partnerships that enable trusted information sharing and joint capability development – neither sector will succeed acting on its own. Similarly, both government and industry need to interact with the general public who access their networks every day, taking in ideas and promoting sound behaviors that limit vulnerabilities.
- The research community has a key role to play in identifying innovative solutions to leverage. Government organizations like DARPA, IARPA, and HSARPA can work alongside investment strategies coming out of the venture capital community and public-private research partnerships like In-Q-Tel, innovation in government cyber can follow the research set by industry.
Enable the Mission and Support Mission Users
- Forum attendees noted that any cyber strategy must balance mission enablement with protection. Government provides key information and services every day over open networks. Actionable cybersecurity approaches should enable mission delivery and not impede operations, lest the latter may result in work-arounds that further weaken protections.
- Different agencies will address this risk balance in different ways – for example, the delivery of social services will result in a set of actions that allow individuals to learn about, apply for and receive benefits, while the protection of taxpayer information requires strict attention to security and privacy for sensitive personal information.
- Accordingly, the delivery of practical cyber solutions must account for how an agency’s culture impacts its employees, beneficiaries, and stakeholders.
- Simple cyber solutions can be implemented by the majority of users with greater success than those that rely on complexity.
- Enterprises need to take Human Factors and Usability into consideration when determining cybersecurity solutions, which can drive basic building blocks that help address the majority of vulnerabilities created by the inadequate practice of basic cyber hygiene, such as improper response to “phishing” emails. This “inadvertent insider threat” can emanate from all levels of an organization – entry-level staff, c-suite leaders, and all levels in between.
- More advanced solutions must be adapted based on the competency in staff/workforce to create and maintain technical approaches – elegant technologies that cannot be implemented effectively will not be cost-effective.
Build Security Into Development
- Forum participants found that in general, software developers need training in how to build security into applications and increase their cyber analysis capabilities. Most development focuses on maximizing usability and service delivery, with protection bolted on after the application design.
- Making security core to the application lifecycle can significantly reduce basic software vulnerabilities, including through the use of development sandboxes where application failures help developers learn how to bolster protections for the next software release.
- Conversely, when adopting open source software, enterprises need to assess vulnerabilities in the supply chain behind that application suite.
- Building security at the data level can complement the technical approach at the systems level – especially in protecting personally identifiable information and other sensitive data.
- There is a growing movement around the development of resilient solutions that are “self-healing” – cognitive approaches that learn about threat and response patterns and can address a breach immediately, without needing to wait for human intervention (but providing notice about such actions as a check for system overseers).
Governance Frameworks Can Promote Collective Action and Recognize Success
- Governance frameworks that promote sound decisionmaking can significantly enhance organizational capacity to provide for cybersecurity.
- Through leadership and collective action, enterprises can create communities of practice that connect experts with “mentees.”
- A key finding from the Forum was to “Celebrate the Security Hero” – just as law enforcement officers receive commendations for outstanding performance in combatting crime in the streets, cyber professionals should be recognized for exemplary performance in combatting cybercrime.
Image courtesy of jscreationzs at FreeDigitalPhotos.net