Adding Sizzle to Security

When it comes to technology, often you’ll hear people talk extensively about the latest gadgets, innovative applications and game-changing future advancements, but rarely does that same level of enthusiasm extend to the topic of security.

When it comes to technology, often you’ll hear people talk extensively about the latest gadgets, innovative applications and game-changing future advancements, but rarely does that same level of enthusiasm extend to the topic of security.

There’s plenty of talk about cyber­security, but it’s not always with the same level of excitement as other topics. This isn’t because cybersecurity lacks attention. If anything, it’s the IT issue that receives the most intense focus within government technology circles.

And it’s also not because the feds who work in this arena lack passion. For instance, have you ever heard Maj. Gen. Steven Smith, director of the Army CIO Office’s Cyber Directorate, talk about security? He certainly isn’t dull.

“If we knew there was a known vulnerability with a router, how would we know where they are?” he asked during a session of the Army LandWarNet Conference in late summer. Only partly joking, he replied: “We’d count them and put it on a spreadsheet. That’s crazy. You wouldn’t run your company that way. Why should we run the Army that way?” (Click here to read the FedTech interview with Smith.)

Yet, security can lack the “aha” factor that’s pervasive in other areas of IT. Three factors seem to be at play here.

A Special Case

First, spending on security tends to be more focused on avoiding an adverse outcome rather than proactively delivering a desired outcome. Second, IT security work by agencies is intrinsically tied to multiple mandates and policies. Third, the “aha” moments mainly take place behind closed doors in R&D shops — but this is about security, protection and privacy after all, so a lack of exposure shouldn’t be too surprising.

But does it have to be this way? Can we bring some of the fascination, exhilaration and innovation to security that, for example, organizations are bringing to the use of social media?

This Way Forward

The new focus on continuous monitoring can be an opportunity to bring a fresh approach to how the government addresses cybersecurity.

Although not a replacement for the Federal Information Security Management Act, the government’s continuous monitoring initiatives offer a chance to take advantage of innovation and to make security all encompassing. As the National Institute of Standards and Technology has pointed out, continuous monitoring can take static control mechanisms and make cybersecurity a dynamic process.

By giving users in an organization access to near-real-time information about their systems so that they can be proactive rather than reactive, agencies can make smarter decisions about security and adjust controls on the fly to meet changes in their infrastructure as well as evolved attack techniques.

This means that IT and security teams should take advantage of all the tools and monitoring devices they have been deploying to feed users the right data. There’s a chance to right-size government security spending by automating monitoring and making the process more cost-effective, consistent and efficient — essentially using the data to flesh out and better refine risk assessments, according to NIST.

97%

Agencies that have deployed continuous and automatic monitoring of cyberthreats

SOURCE: Survey of 34 CIOs and chief information security officers, MeriTalk,

October 2010

In new guidance, the standards agency recommends taking a three-tiered approach by monitoring at the enterprise, mission and system levels.

Here’s where innovation, creativity and “aha” moments can pay off for agencies in two ways. First, there’s the tracking, gathering and sharing of this crucial data. How can agencies effectively achieve these tasks to tackle known vulnerabilities? Additionally, there’s the hope that continuous monitoring will allow federal IT teams the chance to delve more intently into the unknowns of cybersecurity.

Possible Tactic

Smith suggests that we look to the Year 2000 code fixes as a role model: “Y2K was the best project I ever worked on. It was the one project we worked on that couldn’t slip to the right. The whole nation was mobilized to work Y2K. We’ve got to do that with cyber.”

In the end, that’s absolutely essential in a world where everything over IP, everything connected to a network and a cyber-driven approach to collaboration reflects how a forward-thinking government will need to work.

Oct 29 2010