Risk Management

Could the sequester make us smarter about security?

Jody Brazil

We are nearly three months into sequestration, and the world -- or even the U.S. government -- has not ground to a screeching halt. By the same token, all the talk about the cuts shocking elected leaders to their senses and prompting an agreement to negate them seems to have died down as well.

That doesn’t mean the cuts have not been deep, though. It doesn’t mean that many employees -- both government workers and contractors -- will not lose their jobs or that new programs and initiatives are not being canceled or delayed. But nor does it mean IT leaders are relieved of the responsibility of securing our IT assets and managing our risk at acceptable levels.

This era of sequestration means we must work smarter with the assets we have now. The precious few dollars we have should be used to capitalize on what is already in place rather than ripping out and starting over. It is an opportunity to better manage current assets for greater operating efficiency.

According to some government officials, for the most part, critical infrastructure security has not been drastically cut. What is already in place will generally remain in place, at least for now. New projects could be scaled back, but even then, massive cuts seem unlikely.

The most difficult task might well be how to make do with fewer employees. Although new technology purchases for cybersecurity might still be possible, the staff to implement and maintain that technology is not nearly so protected. That means IT executives must use technology to manage assets effectively. Automation and visibility can help you manage with fewer people, and when looking at new technology, better management of existing infrastructure should be a prime consideration.

Another area that could be subject to sequestration-related cuts is the move to next-generation firewalls and other security appliances. However, that does not mean you cannot improve your security posture with the network security gear you have right now. For instance, there is probably no shortage of firewalls in your network today, but understanding what rules are in place and why is another matter. Learning to make do with what you have is the key to successfully navigating the sequester.

Another strategy is to understand what the true risks are so that you don’t spend money you do not have on things that are not a real concern. It is natural to worry about assets that are vulnerable, but very few of us investigate whether those vulnerabilities are exploitable. Fewer still take the next step and ascertain whether those exploitable vulnerabilities are reachable. If they are not, why waste precious resources on them?

And if they are reachable and exploitable, what is the most efficient way to manage that risk? It might not necessarily mean spending more money. Instead, it could be as simple as a network configuration setting. A more enlightened approach to risk management that helps you identify the risks in a network and how best to manage them could wind up saving big money.

Tools and tactics that allow agencies to capitalize on existing assets are the best ways to squeeze the most out of shrinking budgets. There will be a time soon when we can think about upgrading our network security appliances and infrastructure. But that doesn’t mean we can’t be more secure and manage risk better today. Invest in what you already have in place. Manage better, work smarter, and don’t use the sequestration as an excuse to let down your guard about information security.

About the Author

Jody Brazil is founder and CTO of FireMon and former CTO of FishNet Security.

Featured

  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

  • Census
    shutterstock image

    2020 Census to include citizenship question

    The Department of Commerce is breaking with recent practice and restoring a question about respondent citizenship last used in 1950, despite being urged not to by former Census directors and outside experts.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.