Cybersecurity's secret sauce: audits?

audit paperwork

Every government agency seeks the elusive "secret sauce" for cybersecurity -- the right combination of defenses, policies and people that create the best position against cyberattacks. But too often, the pursuit becomes mired in compliance and the complexities that comprise today's congested cyber landscape.

Most experts agree that much needs to change in terms of federal cybersecurity, including a wholesale shift in approach that better integrates agility, continuous monitoring and a broader team beyond just IT, according to former top officials speaking Oct. 10.

"We need to get away from this compliance-focused approach to cybersecurity and mature that entire process to adapt to the changing threats and a changing landscape," said Earl Crane, former White House national security adviser for cybersecurity policy now at Promontory Financial Services. "Trying to do that with a checklist-based model isn't achievable."

Crane spoke as part of a panel at an Association for Federal Information Resources Management event in Washington, D.C.

Much of the new-age approach to cybersecurity that experts encourage centers on continuous monitoring and risk management, buzzwords that so far are tough to find within official governance. Crane and others argue that those changes are overdue, along with some others that date back to the 1996 enactment of the Clinger-Cohen IT management reform legislation.

"I don't think that merging of the CIO, CFO [and] deputy secretary has happened to the extent that it should be," said Karen Evans, national director of the U.S. Cyber Challenge and former Office of Management and Budget administrator.

There is, she said, a conversation that is largely not taking place, one about how investment priorities, risk tolerance and contingencies support an agency's primary mission. "That conversation is supposed to have been happening since 1996, but it's still not happening," she said. "We have all these tools out there, but until we have this conversation, nothing can happen."

Evans also suggested another shift in approach: While consistency might be lacking in policy and governance, other sources -- including audits and inspector general reports -- can be effective in getting through to decision-makers.

"The things that senior leadership does respond to are GAO reports [and] IG reports, and in private industry the audit committee is the most powerful on any board," Evans said.

Those audits and reports can be essential in identifying gaps in an agency's security stance, and as a result can supplant outdated or cumbersome directives with more effective guidance.

Cybersecurity is "now being brought into the audit committee because that's what leadership looks at – they look at the results of an audit," Evans said. "And so what some of us think needs to happen is the IGs in the government monitoring against that. They do the evaluation from that point and that becomes the baseline of the agency from an independent evaluation."

Still, that can mean a significant departure from the status quo, something that is difficult to do – and a major factor in why those changes have not happened yet.

"In government, in my experience, you have to bring people along to effect change and it's a long process," said Richard Spires, former Homeland Security Department CIO. "Before you can get it done, things change out from under you. Leadership changes, some new dynamic happens and then you find yourself back at square one. I think those changing dynamics can be a big reason why we don't have these sophisticated" processes.

About the Author

Amber Corrin is a former staff writer for FCW and Defense Systems.

FCW in Print

In the latest issue: Looking back on three decades of big stories in federal IT.


  • Shutterstock image: looking for code.

    How DOD embraced bug bounties -- and how your agency can, too

    Hack the Pentagon proved to Defense Department officials that outside hackers can be assets, not adversaries.

  • Shutterstock image: cyber defense.

    Why PPD-41 is evolutionary, not revolutionary

    Government cybersecurity officials say the presidential policy directive codifies cyber incident response protocols but doesn't radically change what's been in practice in recent years.

  • Anne Rung -- Commerce Department Photo

    Exit interview with Anne Rung

    The government's departing top acquisition official said she leaves behind a solid foundation on which to build more effective and efficient federal IT.

  • Charles Phalen

    Administration appoints first head of NBIB

    The National Background Investigations Bureau announced the appointment of its first director as the agency prepares to take over processing government background checks.

  • Sen. James Lankford (R-Okla.)

    Senator: Rigid hiring process pushes millennials from federal work

    Sen. James Lankford (R-Okla.) said agencies are missing out on younger workers because of the government's rigidity, particularly its protracted hiring process.

  • FCW @ 30 GPS

    FCW @ 30

    Since 1987, FCW has covered it all -- the major contracts, the disruptive technologies, the picayune scandals and the many, many people who make federal IT function. Here's a look back at six of the most significant stories.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group