Risk Management

Could the sequester make us smarter about security?

Jody Brazil

We are nearly three months into sequestration, and the world -- or even the U.S. government -- has not ground to a screeching halt. By the same token, all the talk about the cuts shocking elected leaders to their senses and prompting an agreement to negate them seems to have died down as well.

That doesn’t mean the cuts have not been deep, though. It doesn’t mean that many employees -- both government workers and contractors -- will not lose their jobs or that new programs and initiatives are not being canceled or delayed. But nor does it mean IT leaders are relieved of the responsibility of securing our IT assets and managing our risk at acceptable levels.

This era of sequestration means we must work smarter with the assets we have now. The precious few dollars we have should be used to capitalize on what is already in place rather than ripping out and starting over. It is an opportunity to better manage current assets for greater operating efficiency.

According to some government officials, for the most part, critical infrastructure security has not been drastically cut. What is already in place will generally remain in place, at least for now. New projects could be scaled back, but even then, massive cuts seem unlikely.

The most difficult task might well be how to make do with fewer employees. Although new technology purchases for cybersecurity might still be possible, the staff to implement and maintain that technology is not nearly so protected. That means IT executives must use technology to manage assets effectively. Automation and visibility can help you manage with fewer people, and when looking at new technology, better management of existing infrastructure should be a prime consideration.

Another area that could be subject to sequestration-related cuts is the move to next-generation firewalls and other security appliances. However, that does not mean you cannot improve your security posture with the network security gear you have right now. For instance, there is probably no shortage of firewalls in your network today, but understanding what rules are in place and why is another matter. Learning to make do with what you have is the key to successfully navigating the sequester.

Another strategy is to understand what the true risks are so that you don’t spend money you do not have on things that are not a real concern. It is natural to worry about assets that are vulnerable, but very few of us investigate whether those vulnerabilities are exploitable. Fewer still take the next step and ascertain whether those exploitable vulnerabilities are reachable. If they are not, why waste precious resources on them?

And if they are reachable and exploitable, what is the most efficient way to manage that risk? It might not necessarily mean spending more money. Instead, it could be as simple as a network configuration setting. A more enlightened approach to risk management that helps you identify the risks in a network and how best to manage them could wind up saving big money.

Tools and tactics that allow agencies to capitalize on existing assets are the best ways to squeeze the most out of shrinking budgets. There will be a time soon when we can think about upgrading our network security appliances and infrastructure. But that doesn’t mean we can’t be more secure and manage risk better today. Invest in what you already have in place. Manage better, work smarter, and don’t use the sequestration as an excuse to let down your guard about information security.

About the Author

Jody Brazil is founder and CTO of FireMon and former CTO of FishNet Security.

The 2014 Federal 100

Get to know the 100 women and men honored this year for going above and beyond in federal IT.

Reader comments

Fri, May 31, 2013

Everyone, especially the Government, needs to learn how to live within their means. The sequester might help the Government be a bit more efficient, but unfortunately it still has a long ways to go. For people on the Government paycheck, they are only taking a 20% cut for about 20% of the year so in reality they are only taking about a 4% cut for the year. Many more people in the private sector have taken much bigger cuts in the last four years. That is the real world that most of us live in all the time. I would hope that these people in the Government getting impacted by the sequester might wake up and realize how much their employer hurts the rest of us with their stifling regulations, fees, and taxes. But then again based partly on the first reader comment, I doubt that many on the Government dole would figure it out, much less care.

Fri, May 31, 2013

I think I will submit my retire papers!

Fri, May 31, 2013

I vote to curtail the SES salaries. They are the ones who rose up through the federal ranks and are getting paid the big bucks. Cut their pay. They don't appear to be earning it. Speaking of earning it, the president said in 2008 he would focus on jobs like a laser. Seems he's not earning his pay either. He recently returned 5% of his federal salary as a show (he's always in a "show" isn't he?) of solidarity. How about really making a statement and doing what Lee Iacoca did with Chrylser? He took a $1 salary until Chrylser was solvent again. Well Mr. President how about it? You're clearly going to be a very rich (read top 0.05%) person someday, maybe even richer than Al Gore, the Clintons or heck even Rockefeller. Man up and take $1 until we have 5% unemployment. Maybe it will motivate you to "focus" better. Lol!!

Fri, May 31, 2013

How about all those low grade civil service employes that are single parents living on one pay check support children. Because some agencies have elected to spread the furlough days across several weeks the less fortunate can't even file for unemployment. Let's take 20 plus percent away from all the senators and congressman along with the cabinet members and see if this impacts their thought process.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above