In reality — in down economies and up — budgets for most agencies are fairly tight.
So figuring out how to spend cybersecurity funding in the most cost-effective manner requires IT and security teams to define what is critical and what needs to be addressed, says Eric Cole, cybersecurity researcher at Lockheed Martin and an instructor for the SANS Institute in Bethesda, Md.
You need to “map” your security spending and activity to three questions, he says. They are:
- What is the risk?
- Is it the highest priority risk?
- What is the cost for resolving this risk?
Seems a bit obvious, yet many organizations don’t establish solid game plans that allow them to respond quickly, even in advance of problems, says Cole, who spoke on a security panel at the recent IPIC conference. And although organizations in both the public and private sectors are putting increased funding toward cybersecurity, those funds are not infinite. “You want to get the best approach and get proactive,” he advises.
To illustrate how many organizations aren’t yet up to speed, Cole points to what happened in December with Microsoft’s “Patch Tuesday.” An attack exploit went live on Monday, “so the patch was 14 hours behind the attack.” Even in a best-case scenario, he says, if an agency doesn’t patch within 72 hours, then there is a 65 percent probability that any of its computers attached to the Internet will become infected.
Cost is a challenge for the government when it comes to cybersecurity, acknowledges Vance Hitch, CIO for the Justice Department. “I have been able to elevate the issue of cybersecurity to a level in the department to get a huge infusion of money. But that’s not going to happen every year,” he cautions.
In This Together
As a whole, the government needs to do more to figure out how to find efficiencies in security programs and practices. “When push becomes shove, we need a command and control structure to prevent cybersecurity tragedies from happening,” Hitch says. “You don’t need it every day; but when you need it, you need it.”
He advises civilian agencies to take a page from the Defense Department playbook. “DOD is better at this than the civilian side of government because it’s part of the culture there,” he says.
To help that effort along, Hitch is co-chairing a new Information Security and Identity Management Committee of the CIO Council that will provide guidance and pointers on practical priorities to the White House, Office of Management and Budget, and National Institute of Standards and Technology.
Hitch, who says the IT security requirements that came down from the Bush administration and OMB over the past few years were good things that agencies needed to do, describes this new CIO Council group’s role as that of an influencer. “We want to normalize all the activity that was already going on” around cybersecurity, he says, because it doesn’t make sense to have multiple meetings with the same people on the same issues over and over again. The ultimate goal is to get action taken in the appropriate order and in a way that is effective, Hitch adds.
Those efforts, Cole says, jibe with three priorities that SANS research has found need focus:
- Mission resilience: Agencies need to prioritize critical information and focus on critical processes, making sure that no matter what happens those processes can continue.
- Communication gap: There needs to be far more communication between security, IT and leadership to create a unified plan. “If the techie folks are going to do one thing and the execs another, then there’s not going to be a good result.”
- Solving problems without affecting the mission of the agencies: Agencies need to rethink how security is done to make it a business enabler, reducing costs and making security processes more effective.
Convergence of security efforts will help, both Cole and Hitch say. “I like to say that security used to be the icing on the cake but now it needs to be the flour, integrating with everything,” Cole notes.
The logic behind taking on cybersecurity collectively, he says, becomes fairly obvious when considering the three attack approaches: system, physical and social engineering. When crafting a cybersecurity game plan, then, an agency needs to weave together technology, security and human resources, Cole recommends.
Hitch adds one caveat: “We in technology have to be the catalyst that brings these things together — because technology is the integrating force.”