One of the biggest struggles for government contractors is how to find the right balance between the information security their organizations must have with the tools that their teams need to help agencies deliver on their missions. In every aspect of IT, from mobile devices to access to social media sites and apps, there’s a constant give and take between the value that these next-generation tools bring and the inherent risks they pose to a company’s network, data, and potentially, national security.
So how do you find the balance between the risk and reward?
While some organizations choose a fairly open approach, utilizing free collaboration tools or buying as much of the latest and greatest technology as possible, others rely on stringent security measures by simply locking systems down, blacklisting web sites, and preventing access to social media during the work day. Limiting options for employees to use best-in-class technologies that drive collaboration and enable effective teams often results in the deployment of Shadow IT on company networks and results in InfoSec complications that come with unauthorized sites and applications.
At CSRA, I’d like to think that we’ve found a more productive approach that results in a genuine balance between needs and wants, security and productivity, and enables our employees to use our next-generation networks and tools to connect and build brilliant teams – whether they’re in headquarters or physically located at a customer site. We are focusing on shifting our cybersecurity posture to a true team effort by turning the focus from IT to that of the user experience. No longer will the use of IT and security together bring to mind the idea of onerous login requirements, a lack of intuitive software, and information siloes that disrupt collaborative work flow. Without question, much of our information security strength at CSRA has come from the sense of making security a collaborative effort. While my role as Chief Information Security Officer, and that of my team, is often viewed as issuing edicts on devices, software, hardware, and apps, we have strived instead to involve the business stakeholders. We talk to our business unit partners to gather requirements and solicit feedback. We then look for solutions, marrying their strategic goals with that of the overarching CIO organization, focusing on ensuring transparent security.
In November 2015 when CSRA was created out of the merger of CSC and SRA we took a hard look at the information security tools and policies that each heritage company used and identified the best to combine into our next-generation approach. In some cases, we also invested in new tools and services from emerging tech companies that would not only better scale to the new organization but also address the constant evolution of cyber attacks and the threats they present to our information, our teams, and our mission partners.
We have developed robust processes and review streams, ensuring that security is baked in from the get-go, because no matter how sophisticated or simple a technology is, the risk continues to be present from basic security threats such as weak passwords and clicking on unknown links. Cyber hygiene begins with each individual user. No technology or process is going to keep a network safe, or information secured, unless the people who use them have bought into good security hygiene practices. Just as continuous monitoring is one of the best ways to protect networks from attack, continuous education is the best way to make sure our teams are armed against cyber attackers of all kinds. In pursuing an approach that combines people, process, and technology we have better visibility into existing and emergent cyber threats and can move more quickly to detect, defend, and remediate against attacks.
Ensuring the integrity of intellectual property, the sanctity of Personally Identifiable Information (PII), and the safe operation of our federal infrastructure are fundamental elements of national security in today’s world. Any organization working with federal government agencies has an obligation to evangelize the importance of cybersecurity and should have their own full understanding of cybersecurity requirements. By conforming to these policies ourselves, developing internal processes that prioritize security but still enables collaboration, efficiency, and mission focus, CSRA is delivering on that obligation, which is fundamental to the success of our organization and the customers we serve.