For decades, cybersecurity professionals have been tasked with protecting organizational IT assets, whether hardware, software, systems, or data. But have they been setting priorities for cybersecurity?
This is a monumental task, especially when the technology environment not only continues to change but is accelerating – just look at the spread of the Internet of Things. IT folks may be told to protect “everything,” but they know it’s an impossible task. They don’t have unlimited resources, after all.
In particular, organizations suffer from a skills gap.
“Fifty-one percent of organizations wish they had more talent in cybersecurity,” says Nate Cash, senior network security engineer, RedSeal. “A Fortune 500 company produces something like a billion [security] alerts a month. Combined with the skills gap, you can’t protect the entire kingdom.”
These problems are compounded in federal agencies, which have a hard time competing with the private sector for talent, always face tough budget constraints, and spend up to 80 percent of their time and resources maintaining old legacy systems. Which means agency security leaders must set clear priorities for cybersecurity.
The first thing to do is analyze mission-critical applications and devices, hunting for possible weaknesses. “We analyze the different paths in the network, which devices are on each path,” Cash says. Based on what is found, “we give those higher priority than other devices on the network.”
Determining criticality is not the only criterion. After all, if there are five mission-critical applications and devices, they still have to be ranked. Cash suggests considering how severe the vulnerabilities are, whether they are accessible, what controls are in place that might mitigate and/or monitor them, and how much it costs to fix each one.
“The main takeaway is to prioritize effectively. I’ve been in the industry for 15 years … Too many times I’ve gone into an organization and seen they spent a million bucks” on one security measure, ignoring other vulnerabilities that were just as important and more affordable, Cash said.
“I think the government is starting to open up to0 [mitigating] risk by priority. They are doing protection in layers, starting to harden the inside of their networks, as well …and threat hunting, where they’re starting to look for indicators of compromise,” he said.
Along with pursuing this kind of risk mitigation strategy, another avenue agencies should pursue is “digital resilience,” which is not the same thing as continuity of operations planning (COOP).
“I look at a COOP as, the disaster has already struck and we have to continue operations,” Cash explains. “With digital resilience, it’s more about hardening networks and limiting the amount of damage that can be done.”
For instance, there might be an incident response indicator. Part of digital resilience is being able to see what device is affected, and whether from that device an attacker can actively pivot to other parts of the network, so cybersecurity staff can perform a blocking or quarantine action to keep the device isolated.
Network engineering and network security are usually at loggerheads, Cash notes. “Engineering is about providing access – security is about limiting access … Security is usually brought in at the end of a project, [and] it’s seen as a thorn in the side.
“Security should be brought in early,” he concluded. “It saves time and resources.”
Ready to learn more about how to prioritize protection for you agency’s assets? You can do that here.