Cybersecurity experts often like to tell the federal government what it needs to be doing better to deliver on the mission. But how often do they listen to federal government cyber teams to find out what their principal challenges are? And, moreover, how often is that insight collated, analyzed, and shared across civilian and military agencies?
The answer, as you may suspect, is not often enough. RedSeal, in conjunction with FedScoop, undertook a project to determine how federal cyber workers feel about their access to tools and how prepared they feel to face threats in the coming year. We talked with Wayne Lloyd, Federal Chief Technology Officer at RedSeal to get a better understanding of the results. The survey focused on the perspectives of federal IT leaders – primarily C-level executive and IT managers across military, intelligence, and civilian agencies.
Overall, survey respondents were confident in their agency’s current security posture. In fact, in both civilian and military organizations, approximately two-thirds of respondents believe their organizations have sufficient tools and resources to respond to cyber threats. Despite confidence in their resource preparedness, fewer than a third of respondents said their organization was able to detect and respond to an incident within an hour – even though the majority believe that this is how quickly they ought to be able to detect and respond to an incident.
Said Lloyd, “The federal government is really doing well when it comes to addressing cyber issues. The constant attacks and infiltrations combined with a requirement to share breaches has really pushed the federal government to improve their posture and their responses,” he said.
Another factor that has contributed to this overall improvement in information security according to Lloyd, is the investment in the nation’s cyberwarriors. “The military’s cyber protection teams have set the standard for how to respond to attacks and breaches,” said Lloyd. “They’ve chosen a mix of open source, freeware, and commercial tools and standardized those into a response kit that all members of the team are trained to use. They’ve also developed cyber ranges to constantly test skills and develop standard operating procedures, so they can continue to improve detection and response times.”
Of course, there are still challenges to overcome. Lloyd noted that both the survey and his conversations with federal IT security leaders tell him that being able to gauge the effectiveness of cyber responses is still a challenge. “Security metrics often become busyness metrics. The number of incidents and how many were closed are often the benchmarks used to demonstrate success,” he said. But those metrics don’t really tell an agency if they’re getting better, according to Lloyd. “The real measure of success is whether you’re reducing uncertainty or risk,” he shared.
How then do you address this challenge? For Lloyd the answer to understanding risk and reducing uncertainty lies in developing a continuous understanding of the environment, including what the network looks like and what’s on it. “Despite the many tools at our disposal very few organizations have done a good job of mapping their cyber terrain,” noted Lloyd. Interestingly, according to the survey results, investments in the types of tools that can improve understanding risk, reduce uncertainty, and bolster resilience ranked near the bottom of planned strategic investments in 2019 for both military and civilian agencies.
For Lloyd, though, the low priority given to risk scoring is not that surprising. “For most agencies – as for most organizations and people – it’s the basics that trip us up; things like changing passwords, falling for phishing, and critical patching. So, most agencies are still responding to those immediate needs,” said Lloyd.
However, military cyber protection teams have prioritized understanding their cyber terrain and building resilience. This will have an impact on tools, tactics, and procedures across the government. “As these teams grow and mature and as formal and informal sharing of best practices and other information between agencies increases, priorities will shift to investing less in tools that replicate existing knowledge of the attack surface and towards tools like network terrain mapping and platforms that can provide insight on digital resilience,” he concluded.
Ready to learn more? You can download the survey here and learn more about digital resilience here.