Industry execs push for mission-focused cyber strategies, not just compliance

Gettyimages.com/ peshkov

Find opportunities — and win them.

Cybersecurity investments should focus on operational efficiency and threat prevention, as a group of participants put it during an industry roundtable.

Cybersecurity will remain a driving issue across the government space for years to come after several executive orders during the Biden administration created a framework around initiatives such as zero trust architecture.

But according to a group of executives we gathered to discuss cyber issues in the market, there needs to be a change that puts the focus on outcomes rather than compliance.

The executive roundtable we conducted in December was on the record, but not for attribution. See the sidebar at the end of this article for a list of attendees.

“I think the Biden administration has pushed the boundaries of the cybersecurity in the sense that they’ve pushed the narrative of cyber first,” one executive said.

This approach has accelerated the use of zero trust architectures and threat hunting, as well as giving the Cybersecurity and Infrastructure Security Agency more authority and visibility across the government.

Cyber incidents such as the Solarwinds hack drove the need for the executive orders and binding operational directives, the executives said.

One thing that the executive orders have added is granularity.

“If you look at a specific opportunity and the text of the RFP, it may not explicitly ask the right thing but now we have a North Star that we can say, in addition to what you’ve for, there’s this,” an executive said.

“It gives us the why for a particular approach,” another said.

But the uneven application of cybersecurity directives across the government remains a challenge.

“Some agencies have done better than others,” a participant said.

As a group, these executives largely said they want to see more cyber initiatives that tie into the mission and outcomes.

“If an agency is just doing this because it’s a compliance plan, it will just be a time and money suck,” one said. “But if we can tie to efficiency of operations and help them understand that, then you can demonstrate value.”

The need for better event logging became part of the discussion because it was included in the executive orders, and is critical to maturing how organizations approach risk.

Event logs give an inventory of what is happening on a network and what is connected to a network. As the data becomes more uniform, it opens opportunities to use artificial intelligence to make better decisions.

“When I think of the inventory, it’s not just your hardware devices and virtual devices, it is also the software components and tools,” an exec said. “You need attribution back to those inventory components because that supports not just compliance but also threat detection.”

That information is the bridge a lot of agencies need to cross if they are to move from a compliance approach to one more focused on mission, another said.

“If we can tie it to efficiency of operations and include some mission relevant data, that data can help us make better decisions,” an exec said.

But for some executives, the talk about executive orders and moving away from a compliance-based approach to cyber was like déjà vu.

“I had this conversation 15 – 20 years ago. This very conversation about compliance and tying it into the mission,” an executive said. “This last administration did do some good stuff. They brought what I’ll call basic hygiene.”

But more questions need to be asked about what a dollar of cyber worth? That requires understanding the context of the mission and determining what to measure to understand the outcomes, executives said.

This becomes more complicated as the threat landscape evolves to include everything from traditional IT to operational technology, connected devices and critical infrastructure.

The government and contractors are stuck in what one executive called a “tail-chase,” where they are reacting to issues and breaches. They are not getting out ahead of things and understanding the nature of the threats they face.

“I’ve heard some guys say that we should basically punt and invest in recovery platforms,” another exec said.

Desired outcomes also depend on who you are talking to at the agency. The chief financial officer may want one thing, but the chief financial officer and the program manager might want other things.

The definition of what is an existential threat to an organization changes from person to person, particularly outside of the Defense Department.

“There is no one answer. For some it might be a nation-state actor or it’s the high school kids who have more access to technology than ever before,” an exec said.

Another exec said the threat model needs to focus on what data to protect, what level it is and then you can invest to the appropriate level.

The zero-trust model is the right approach, but it needs to evolve.

“The next phase of zero trust should focus on data classification, data protection," one participant said. "It is going to be a lot harder than the first phase of zero trust."


PARTICIPANTS

Amy Andrews, Booz Allen Hamilton

Rob Carey, Cloudera Government Solutions

Kynan Carver, Maximus

Chris Cleary, ManTech International

Mike King, Peraton

Dennis Lucey, Akima

Ryan Moore, Serco

Jesse Peoples, Leidos

John Sahlin, GDIT

Greg Thomas, Wiz

Mike Voss, SHI

Edward Yardley, Valiant Solutions

Steve Zakowicz, CGI Federal

NOTE: Washington Technology Editor-in-Chief Nick Wakeman led the roundtable discussion. The December gathering was underwritten by Wiz and SHI, but both the substance of the discussion and the published article are strictly editorial products. Neither Wiz, SHI nor the participants had input beyond their comments at the roundtable.