Actionable Cybersecurity Practices for the 21st Century: Perspectives from Experts

The IBM Center recently partnered with the National Institute for Standards and Technology (NIST) and George Washington University Center for Cyber and Homeland Security to convene a set of interactive discussions among Chief Information Security Officers (CISOs) and other security executives in government and industry.  The meeting highlighted challenges and opportunities for action.

In this post, we highlight key findings from the session – overall challenges, and opportunities for practical steps that government and industry can take to improve cybersecurity through workforce development, innovation, and other key areas.

General Challenges and Opportunities

Participants noted that more definitional work is needed to develop a common understanding of cybersecurity.  The NIST Cybersecurity Framework continues to provide a sound basis for developing an approach that crosses boundaries, and expanding that to promote understanding of cybersecurity by users who are not security experts could yield significant benefits in reducing the number of basic vulnerabilities.   Further expansion of the Framework approach can build trust that government is acting responsibly to safeguard cyberspace.

All participants pointed to the growing complexity and danger of the current threat environment – one used the term the “Internet of Threats” in describing risks faced in moving more physical applications online in the Internet of Things.  Indeed, new technologies can also help government and industry in identifying and addressing risks and threats; participants pointed to cloud-based approaches where patches can be instantaneously transmitted across a network.  And artificial intelligence can automate detection of malware and mitigate risk at scale, but also introduce a new threat if used by adversaries to launch those same threats in new ways.  Cognitive computing approaches that enable CISOs and their teams to automate routine decisions and focus on highest priorities, including open source vulnerabilities.  At the other end of the technology scale, government continues to operate using archaic and diverse systems that retain vulnerabilities – more effective modernization strategies, including shared/subscription services and adoption of more secure computing platforms (such as those offered by Blockchain), can provide significantly enhanced protection at reduced cost.

A constraint emerged among attendees around compliance and governance – the ever-increasing volume of rules and requirements consume resources and often result in a focus on merely checking the box, rather than practical actions to improve security.  This is an issue for government and industry: guidance leads to new steps in areas ranging from identity and access management to encryption, and this is made more complex for companies who must addresses compliance at the Federal, State and local level.   A sound governance framework, including a governance council with clear roles and responsibilities, can enable overstretched security staff to focus on outcomes while still ensuring compliance -- especially for government where constrained budgets are likely to remain the norm for several years (the Center issued a series of posts on the importance of governance for cybersecurity last year).

Given the constant threats and compliance issues faced by cyber security teams 24x7 and a world where adversaries only have to be successful once, addressing threat vectors in a risk management framework is critical. That involves focusing on controlling basic risks among the general population, prioritizing risks for special attention based on severity of potential threats, responding quickly to threats as they rise, and being resilient in recovering from incidents that inevitably occur.  A mission focused enterprise risk management framework can also enable security teams to work with mission colleagues in balance protection relative to program impacts.  This expands the focus of how to address risks beyond security and IT and systems to the people, processes, and data that are essential to carrying out agency goals and objectives.

The People Challenge

One specific discussion about how to drive security across the workforce identified multiple actions that could enhance an organization’s security profile. These strategies would strengthen incentives for the “non-cyber” workforce to keep the focus on security as part of their normal day to day jobs in support of agency missions.

The general workforce of an agency (or any organization) often do not receive sufficient and understandable information about the threats around them and the importance of good security to address those threats.  Many rely on outdated tools and systems, and received only sanctions when things go wrong (as opposed to rewards when they go right).  As a result, security becomes a culture of fear and avoidance, where users share experiences by focusing on problems like systems shutdown after updates, password lockouts lasting several days, or premature patching the caused applications to stop working. These situations cause users to be reluctant to take proactive prevention actions such as enhancing security protocols that promote good cyber practices (e.g., maintaining strong passwords and avoiding leaving written passwords be visible in open offices).

Some positive practices identified to address these and similar issues include:

• Create enterprise risk management practices -- align cyber security and mission functions and objectives.
• Make security a positive part of the culture – an integral element of an organizational standard way of operating, not a separate silo.
• Provide continuous training, not just once a year checkbox exercise – for example, the State Department’s longstanding “Tips of the Day” program asked all user a security question on log-in. This can also include security incident response exercises.
• Create rewards for positive behaviors -- such as successfully avoiding social engineering attacks like “phishing” that rely on a recipient thinking an email comes from a trusted source (versus just consequences for not passing).
• Regular patching of vulnerabilities and required, easy to implement updates of passwords and software -- this should be transparent for users and done in a rapid timeframe, through steps like trusted vendor patches .
• Ensuring that personally identifiable information is properly protected -- both for users in an agency and for the constituents who are served by that agency’s programs.
• Establish a user community to share security issues – for example, email or common repository of information that is also monitored by cyber professionals for responses, to help other users that run in to same/similar challenges).

Innovating Security:  Technology, Operations, and Policy

Finally, participants also discussed new strategies to expand good security that can come from cyber experts.  As government works with industry to leverage innovation in technology, cyber will benefit.  Several approaches were discussed.

• Better software assurance – building security into software as its developed, rather than bolted onto applications after the fact. This reinforces software vendor responsibility to keep up security patches.
• Automated self-healing detecting and mitigating networks – using big data analytics and cognitive computing to help increase situational awareness, detect anomalies, mitigate damaging traffic or attacks across large data sets and global networks, and share and deploy proven response and resiliency actions that move at machine speed. Similar technologies can help to detect and respond to insider threats, while protecting privacy – which will be a critical success factor for any new security innovation.
• Deterrence that raises the cost of attack by taking action to shut down threat vectors as they appear – innovate to flip the economics so that the cost of an attack is higher relative to the potential benefit to the attacker.
• Establish collaborative community response networks, (e.g., a “Cyber CDC”) -- jointly defend against and defeat bad actors. Agencies can work together to establish community rules and share threat insights, processes, and resources to expand cyber security resilience.
• Timely information sharing and response – our adversaries do not wait for permission in sharing vulnerabilities, government and industry should build on programs like the DHS NCICC so as to match their speed in acting to counter the effects of malware and other threats.
• Adaptation of industry best practice for government – creating pathways to introduce new tools, try them out, and expand them in a manner consistent with fair procurement rules.

Image courtesy of lekkyjustdoit at FreeDigitalPhotos.net