What does it mean to be secure? We wanted to know how an agency’s information technology officials could say with confidence that they have taken the right steps to protect its information. It became quite clear that security is not only a state of being, it’s also a mind-set and the ability to create a culture rooted in security. In the dynamic and asymmetric world in which cyber professionals operate, they must constantly look at innovative ways to stay ahead of attackers.
Through our research and with help from industry experts, we identified five dominant themes about what it means to be secure:
1. Having Real-Time Awareness
Attacks on agencies are occurring more frequently than ever, and agencies now must be able to analyze threats and attacks in real time. Being secure doesn’t just mean being able to respond quickly; it’s having the knowledge and insights to spot attacks as they are unfolding. To gain that awareness, agencies must understand what their network looks like and who accesses it and how.
“The reality is most organizations don’t know what being totally secure looks like in the cyber world,” said Robert Roy, federal chief technology officer at HP Enterprise Security Products. How can they if they don’t know what they are protecting, or they don’t understand the vulnerabilities, or they don’t fully understand the threat? Any secretary should be asking: ‘How secure is my business?’ and to answer that question, it is going to take a fully implemented CDM solution, both technically and organizationally.”
2. Continuous Assessing Vulnerabilities
You could craft the best plans and policies, but they will fall flat if the policies are not enforced. A risk management policy should help you understand who access data, how they access it and when. The policy will also provide clarity on proper data usage for stakeholders and data users.
“Enforcing a dynamic cybersecurity risk management policy is crucial to being secure. This policy needs to be thoroughly understood and adopted by all stakeholders, both internal and external—those accessing your data, your network, and your resources. This policy cannot be stagnant; it must adapt to evolving threats to the network. It should enable risk-based decision-making, aligned to your mission and business objectives. Your users will always be the weakest link in the chain, so it’s essential that all levels of the workforce participate in continuous cybersecurity education in order to understand the risk they pose as users of the network, and how they can eliminate those risks,” said Chris Wilkinson, senior director, Cybersecurity Technologies, immixGroup.
3. Mitigation and Administering Rapid Response
In today’s environment, organizations must quickly deploy mitigation techniques and respond rapidly to complex attacks. For government, this means that there needs to be a way to connect people to technology.
“Being secure is a moving target insofar as you have to understand the cybersecurity is ever evolving,” said Patrick Flynn, director of Homeland/National Security Programs at Intel Security Federal
Business Development. “It’s like asymmetric warfare in Afghanistan or Iraq – you don’t know what the enemy necessarily looks like. So as long as you understand that, and you have the ability to put the solutions in place and bring in the human to understand and recognize those threats.”
4. Gaining Clarity from Complexity
There is no doubt that security is complex for government administrators. In our survey of 160 cybersecurity professionals, we found that the biggest cyberthreats agencies face are external unauthorized access and people. Respondents believe their largest gaps in cybersecurity solutions reside in least privilege and infrastructure integrity (people and devices). These findings show that CDM is positioned well to provide access to the government community to the right solutions to improve their overall security posture.These various attack vectors are challenging cyber professionals.
“One of the biggest challenges faced by both government and commercial enterprises today is that of rapidly growing complexity,” said Tim Woods, vice president of engineering at FireMon. “I’m not referring to the type of complexity that one finds in a well-orchestrated security architecture, but moreover the unnecessary complexity that has crept in over time that has left us with large gaps in our security defenses. Unnecessary complexity gives rise to the probability of human error creeping into the equation as well.”
5. Automating Processes
Automation is an imperative part of cyber defense. By automating traditionally manual processes, agencies can improve compliance and reporting strategies. Automation can help IT managers react quickly and develop new ways of thinking about cyber issues. Still, no defense strategy is flawless; some attacks are bound to work. Cybersecurity today is as much a practice of damage control as it is of prevention.
“Today’s real world requires a threat-centric approach to security. We have to assume that a certain number of attacks are going to be successful,” said Steve Caimi, industry solutions specialist at Sourcefire, which Cisco acquired last year. “We need to have the capabilities to know that it’s happening right now and react quickly.”
For cybersecurity professionals, defining what it means to be secure is complex. CDM helps because it’s designed to improve agencies’ security posture by assessing, analyzing and mitigating attacks. As we explore how to participate in the CDM program, it’s important to keep these considerations of an effective cybersecurity policy in mind.
Patrick Fiorenza is a Senior Research Analyst at GovLoop which strives to connect government to improve government. He can be reached at firstname.lastname@example.org.