As we head into 2021, cybersecurity remains top of mind for public sector organizations. Often, agencies are focused on finding a blanket security solution, but according to Bruce Brody, Resident Chief Information Security Officer (CISO) with Proofpoint, agencies need to look deeper at vulnerabilities – and what they’ll find is that people are a leading threat vector. Recently, Government Technology Insider spoke with Brody about his current role and experience as a CISO, how the security environment is changing for agencies, and what areas organizations should focus on to ensure they are secure in 2021, including focusing on people-centric security.
Read on to learn about Brody’s insights for public sector agencies:
Government Technology Insider (GTI): Tell me a bit about your experience and current role.
Bruce Brody (BB): I became the first Senior Executive Service (SES) Chief Information Security Officer (CISO) at a cabinet-level department when I was selected to be the CISO at the Department of Veterans Affairs in 2001. In 2004, I became the CISO at the Department of Energy. As the Resident CISO for Proofpoint Federal, I help federal agencies find solutions to solve the infosec challenges within the government and understand the unique requirements agencies face when it comes to cybersecurity requirements.
GTI: How has the security environment changed for government agencies this year?
BB: Obviously, the Coronavirus pandemic changed the way many agencies operate. Many of them moved to remote, work-from-home operations, and a few of them might remain in that mode going forward. The complexities of operating securely in a remote telecommuting mode were addressed early on and continue to be enhanced.
Notwithstanding the pandemic, federal agencies continue to be focused on cloud migration, digital transformation, and zero trust architecture. And as Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) roll out programs like Continuous Diagnostics and Mitigation (CDM) across the Federal agencies, many CIOs and CISOs will take advantage of the CDM initiative by consolidating technologies, retiring agency-unique solutions, and standardizing on DHS-provided capabilities.
GTI: What areas do agencies need to be cognizant of in their security structure? How can these vulnerabilities be mitigated?
BB: The Federal Information Security Modernization Act (FISMA) and the NIST Risk Management Framework (RMF) and Cybersecurity Framework (CSF) are fundamentally systems- and network-centric approaches to improving the cybersecurity and risk management posture of the federal enterprise. However, a systems- and network-centric approach might be a good start, but it’s not a complete approach. The most sophisticated and successful attacks are being conducted against people, rather than systems and networks. Knowing which of your people are being attacked, who’s attacking them, how they’re being attacked, and how to respond is a missing capability in the cybersecurity arsenal of federal CIOs and CISOs.
GTI: How does a people-centric security approach set agencies up for success?
BB: People are the enterprise’s new perimeter, and email is the number one threat vector. Knowing who in the enterprise is being attacked, how they’re being attacked, and how to defend against these attacks would be a game changer in the cybersecurity defense of the federal enterprise.
GTI: Any advice as the government and other organizations adapts to this “new normal?”
BB: Invest in email security but remember that “easy is not enough.” The leading email defense offering is far more effective and far more cost-effective that hitting the easy button and going with a larger vendor that offers an inferior email security solution as an add-on to their major offerings. Studies show that over 90 percent of all successful attacks start with a human clicking on a link that creates havoc, yet only 10 percent of cybersecurity spending is dedicated to protecting people. That needs to change if there is any hope of preventing the next major breach.