Managing IT security is not unlike being in charge of the laundry: It’s a never-ending job; dirty items just keep arriving.
Plus, the challenge of staying ahead keeps getting more difficult — there’s more data, and it’s accessed and shared in more ways.
“We have to do things smarter because frankly the adversary is not going away,” says Rod Turk, chief information security officer at the Commerce Department, who spoke on a panel at GITEC Summit 2013 in Baltimore.
In the main, Turk says, the security challenges across agencies are fairly similar.
For that reason, many of the government’s security chiefs and IT officials meet somewhat regularly to share lessons learned and to leverage one another’s cybersecurity successes, adds Energy Department CISO Gil Vega.
At DOE, Vega also takes advantage of the fairly hefty R&D capabilities available to his team within the department’s many labs. “In D.C., we’re really the “C” team — we rely heavily on those folks, the “A” team, to help us develop new tools.”
The department’s security staff is really focused on zero-day attacks that aren't typically detected by commercial protection tools. Even so, today, incident response requires lightening speed and enterprisewide tools to be ready before any attack occurs, Vega says.
“You’ve got to have hunters who are constantly crawling your environment looking for anomalies,” he says. An agency’s ability to prepare for these types of events will speak a lot to whether it will be able to continue with its mission in the wake of an attack, Vega points out.
Dara Murray, chief of the Information Security Branch at the Health and Human Services Department, agrees. Continuous monitoring is no longer a paperwork exercise. It’s taking place in real time to prevent zero-day attacks.
Awareness, which some folks call “old school,” remains essential, says Steve Elky, deputy director of IT services at the Library of Congress.
“We know the few big things that our boxes are getting popped on” so we focus our awareness training on those items, Elky says. Librarians have the attitude that “this is not the Department of Defense; we share everything.” That view makes awareness key if LOC wants to ensure security, he says.
And it has made a difference, Elky says, and recounts a story: A year ago, a phishing attack succeeded because numerous employees clicked on the link that arrived in an innocuous email. Just a few weeks ago, a comparable phishing message arrived in mailboxes across LOC. But his time, hardly anyone opened it; instead, they called the help desk and forwarded the questionable email.
“Awareness works. It works,” Elky says.
At Commerce, Turk says, leadership is trying to create a 360-degree learning environment that involves employees within Commerce, employees at other agencies and contractors.
To keep management focused on the importance of security requires that the IT security staff be not only technically proficient but have the competency to communicate the agency’s business need and case, Turk says. A lot of highly technical and smart people don’t have that competency, he says.
Meanwhile, at Energy, Vega is standing up a new Joint Cybersecurity Coordination Center. It’s not called a security operations center, he notes. “We’re seeking to be the connective material — it’s less about operations and more about sharing and dealing with the advanced attacks that we deal with everyday.”