After a year of remote work, how can we achieve better cybersecurity?
Federal IT teams continue to grapple with security concerns of a remote workforce, but now they have lessons learned from a year of people working from home.
As we reach the one-year milestone of working from home, federal IT teams continue to grapple with new and heightened security concerns while continuing to look for better ways to keep government networks secure.
Arecent survey of federal IT leaders shows that agencies should conduct routine cybersecurity training for all employees and participate in security simulations to learn how to handle threats they may encounter on the job. To continue strengthening cybersecurity, Department of Labor CIO Gundeep Ahluwaliasaid the process is “a marathon, not a sprint,” necessitating a “sustained focus over many years” and almost half of federal leaders said a resilient federal government requires a focus on cutting-edge cybersecurity.
The Biden administration recently released National Security Strategic Guidance seeking to make cybersecurity a “top priority” that requires both a diplomatic and military response. “We will elevate cybersecurity as an imperative across the government,” the guidance stated. “We will work together to manage and share risk, and we will encourage collaboration between the private sector and the government at all levels in order to build a safe and secure online environment for all Americans.”
Software supply chain attacks are one of the most significant cybersecurity challenges we face today, as shown from the recent SolarWinds breach. These attacks are a threat to every industry and while there is no silver bullet to stop them, the recentExecutive Order aimed at creating resilient and secure supply chains is an encouraging step in the right direction.
With continued, heightened risk, it is critical to set aside traditional risk assessments and protections and start looking at risk pragmatically. Whether we’re talking about third-party software, hardware, or even third-party managed services, organizations still rely too much on blind trust and manual, spreadsheet-based approaches to provide assurance on cyber risk.
First Step to Finding a Solution: Teamwork
As guardians of IT networks, we have to be right 100% of the time to truly protect data. Cyber adversaries, on the other hand, get unlimited tries, and only have to be right once. The reality is, if you’re the target of a nation state, hackers are getting into your network. Cyber warfare has gone on for decades, and nations are skilled.
So what steps can private and public sector organizations take to defend against potential threats and work towards a solution? They need to identify what tools and tactics hackers are using against government agencies, collaborate to detect, contain, and mitigate against potential threats, and share information as quickly as possible, and consider what happens during and after an attack, and what tooling is in place to deal with it.
To maintain the integrity of the federal supply chain, we need to make sure attacks like the recent SolarWinds breach never happen again. To do this successfully, we have to better protect critical information and create a mechanism by which federal agencies and private vendors can provide truthful testimony as to the protections they have in place.
The federal government can request specific information about a vendor’s entire IT enterprise – but agencies often rely on vendors to provide them with safe/secure solutions.
There’s no easy way to prove that vendors are running a tight ship today – but federal agencies and vendors are starting to talk about how to solve this problem through modern means. The Cybersecurity Maturity Model Certification (CMMC) is a great example – and will be a critical achievement for companies looking to do business with the federal government. If we’re successful it’s because of this burgeoning cooperation.
Let’s Set Aside Traditional Risk Assessments
With this heightened risk, let’s set aside traditional risk assessments and protections and start looking at risk pragmatically. With a holistic approach in mind, vendors, systems integrators, and federal agency IT teams can save time, money, and align resources while working to protect personal and government sensitive data.
The cybersecurity industry needs rich, quantitative data with reputable third-party attestations and assessments. We also need to focus on the speed to detect and respond to cyber threats vs. the narrow view of point-in-time risk assessments.
Let’s do what we’ve always done best as a country; let’s solve a very difficult, existential problem by combining the collective ingenuity of our public and private sectors.
By working together with a holistic risk management approach, public and private sector organizations can save time, money, and align resources while working to protect personal and government sensitive data. We shouldn’t prioritize what’s best for business or for one particular agency’s mission – we should focus on what’s best for our friends, our neighbors, each and every one of us who rely on one another and for whom we, as government and technology leaders, have an obligation to protect.