Last month was National Cyber Security Awareness Month and while federal CIOs and CISOs ensure that agency workers remain vigilant all year round, the additional focus of a month dedicated to cyber security is a great time to “raise awareness about cybersecurity and… increase the resilience of the Nation in the event of a cyber incident,” according to the Department of Homeland Security. While many of the activities and awareness campaigns are targeted at individuals, federal agencies – both civilian and defense – use the month to review cyber hygiene protocols with agency teams as well as share their commitment to protecting the nation from cyber attack.
What has been most noteworthy over the course of the last year is a shifting mindset among federal cyber security leads. From the appointment of the first federal Chief Information Security Officer to the Department of Defense’s bug bounty program, to the reorienting of cyber defense philosophy from keeping the bad guys out to building resilient environments that can weather the inevitable attacks.
At the recent FedTalks event held in Washington D.C., several agency CIOs shared how their mindset has shifted over the last few years since the summer of cyber sprints in 2015 following the devastating breach at OPM. For Ann Dunkin, CIO of the Environmental Protection agency, good defenses are paramount, but she noted that now she operates from the position that “you also have to assume that you’ve been hacked.”
This radical shift from simply trying to “keep the bad guys out” to accepting that at least some part of your agency’s infrastructure has been breached is the beginning of a much wiser and more successful era of cybersecurity according to John Dancy, CIO at CSRA, Inc. “Savvy cyber leaders start from the position that their organization has been breached because it enables them to build an overall posture that is more robust,” Dancy noted. “Far too often we’re finding that the ‘bad guys’ have been in agency networks for long periods of time waiting to launch an attack. Or, as has been seen recently, there’s an assumption that there are no bad guys, per se, but instead there are rogue insiders who are privileged users who don’t need to breach external defenses in order to exfiltrate proprietary data and classified information.”
Another move that Dancy reflected favorably on was the approach to cybersecurity embraced by CIA CIO, John Edwards. During a panel on cybersecurity Edwards discussed the importance of a DevOps approach to achieving cybersecurity in the cloud. “With the increased need for collaboration, not only between different agencies within the U.S. Intelligence Community, but also between national intelligence communities to fight terrorism and other global threats, we need to be able to house more data in hybrid clouds securely and be able to share it with confidence,” Dancy said. “”It’s an ambitious goal to break down not only information silos, but a siloed workflow mentality. CSRA has already realized tremendous benefits of pursuing this approach with our own systems.”
Interested in learning more about CSRA’s approach to robust cyber security? You can find more information here.
