It is a fact of life for government CIOs that their cyber assets will always be at risk.
The drive to make government more accessible to citizens, drive down costs and improve efficiencies means that cyber assets are more critical to our everyday lives. Yet, even as our reliance on these assets grows, the infrastructure remains vulnerable, and threats have become more prevalent and sophisticated. Whether it is an unwitting user who inadvertently causes damage or a skilled, determined attacker, these threats are real.
All too often — because of organizational, cultural, economic, technical and operational challenges — CIOs lose the battle to secure their cyber assets. They end up implementing point solutions that remedy only the latest vulnerability, without having the authority or resources to address systemic issues that prevent them from having a secure and resilient infrastructure on which to conduct mission-critical functions, both for their organization’s administrative missions and their stakeholders’ business missions.
For CIOs trying to build strong, effective cybersecurity and integrate security and privacy in support of mission and stakeholders, the roadblocks lie in four major areas: awareness and education, governance and decision rights, risk management in the context of cost and security, and the resilience to recover after inevitable attacks. Addressing each requires a shift — in some cases a major shift — in the way agencies approach cybersecurity, at both the strategic and tactical levels.
Transforming Awareness into Action
Many CIOs have capitalized on the growing focus on cybersecurity to make positive changes, but this focus also shines a spotlight on some deep-seated challenges that CIOs will continue to face within their agencies. Specifically, while it is encouraging that awareness about cybersecurity is increasing, it is critical for CIOs to transform awareness into action.
Across agencies, CIOs must ask themselves three questions:
1) Who is on my network, and what are they doing?
2) Are legitimate users of my cyber assets aware of the impact of their actions?
3) How can I satisfy the organization’s growing administrative and mission needs securely?
To answer the questions about network health and gaps in network defense, CIOs need to work with their staffs to identify the comprehensive technical needs of the agency. To find a true end-to-end security solution, questions should focus on: what types of detection and forensic capabilities the mission requires; how the agency can minimize gaps and reduce costly redundancies; and how the agency can ensure that the right information is available to the right people.
Next, CIOs need to determine what cultural changes need to be made in their agencies. This may be the most challenging task the CIO faces. If there is a low level of awareness of cybersecurity needs, then education and awareness training will be required for every individual in an organization. Cybersecurity is most effective when it is seen as an enabler and as everyone’s responsibility. To accomplish this, the CIO must be aware of key work processes and how a secure and resilient IT infrastructure supports them. CIOs need to be able to effectively communicate network defense needs to the rest of the “C suite” and help stakeholders — actually, everyone in the organization — understand the role each plays in ensuring a secure and reliable operational environment. This can’t be done effectively without considering the next three areas: governance, risk management and resilience.
Where the cybersecurity function resides within an organization and what level of authority it has over networks, data and applications across the enterprise has a large impact on its effectiveness. The operating model of the organization (command and control versus federated), the culture of the organization and the mission of the organization all affect where the function should lie. Effective cybersecurity takes into account not only threats and vulnerabilities, but also the organization’s processes and ultimately the missions it supports. In working with CIOs across Defense, national security and civilian agencies and commercial organizations, we’ve found that if the security function is not sensitive to these variables and fully integrated with an organization’s processes and missions, it will be ineffective.
Wherever the function lies, the top individual must have sufficient visibility into what he or she is responsible for, have the authority to enforce policy and understand the organization’s mission. Additionally, senior management across the organization (in headquarters, bureaus and divisions) must recognize how secure and resilient systems enable them to perform their missions.
In organizations that are decentralized or federated, the CIO’s ability to communicate and influence when he or she can’t “command” is essential. We have found the use of tabletop exercises especially effective at helping senior leaders gain a greater understanding in this area because it brings the major stakeholders of the organization (and sometimes its constituents, customers and suppliers) together around one or more specific scenarios. As the stakeholders work through the scenarios, they discover important insights into governance, decision rights and communication challenges, and they can test alternative solutions.
True Cost of Cybersecurity
CIOs must continually decide how to best spend their security dollars. But very seldom can they see how much risk is reduced by each dollar. For instance, when faced with tight budgets, should the CIO spend security dollars on a technical solution, or implement an enhanced education, training and awareness program?
In most organizations, the answers are not immediately obvious and rely on guesswork rather than metrics. As they gain visibility into the enterprise and get clear, repeatable metrics, CIOs are in a better position to answer these questions and deploy resources where they will have the greatest impact. Organizations need to take a hard look at where their cybersecurity dollars are being spent and what the risk-related results are for their mission when they decide how dollars are allocated to the security and IT portfolio.
No security approach is 100 percent foolproof. In dynamic environments, new vulnerabilities are introduced daily, threats become more sophisticated and successful, and the human element remains a weak link. Even so, we cling to the belief that we can protect our cyber assets against any and all events.
CIOs must accept that bad things do happen — and when they happen, the focus must be on how to respond and reconstitute mission-critical functions. Designing resilience into the cyber enterprise is crucial. Incident response capabilities combined with backups of critical data and applications are key to operating safely in a hostile environment.