Cybersecurity's secret sauce: audits?

audit paperwork

Every government agency seeks the elusive "secret sauce" for cybersecurity -- the right combination of defenses, policies and people that create the best position against cyberattacks. But too often, the pursuit becomes mired in compliance and the complexities that comprise today's congested cyber landscape.

Most experts agree that much needs to change in terms of federal cybersecurity, including a wholesale shift in approach that better integrates agility, continuous monitoring and a broader team beyond just IT, according to former top officials speaking Oct. 10.

"We need to get away from this compliance-focused approach to cybersecurity and mature that entire process to adapt to the changing threats and a changing landscape," said Earl Crane, former White House national security adviser for cybersecurity policy now at Promontory Financial Services. "Trying to do that with a checklist-based model isn't achievable."

Crane spoke as part of a panel at an Association for Federal Information Resources Management event in Washington, D.C.

Much of the new-age approach to cybersecurity that experts encourage centers on continuous monitoring and risk management, buzzwords that so far are tough to find within official governance. Crane and others argue that those changes are overdue, along with some others that date back to the 1996 enactment of the Clinger-Cohen IT management reform legislation.

"I don't think that merging of the CIO, CFO [and] deputy secretary has happened to the extent that it should be," said Karen Evans, national director of the U.S. Cyber Challenge and former Office of Management and Budget administrator.

There is, she said, a conversation that is largely not taking place, one about how investment priorities, risk tolerance and contingencies support an agency's primary mission. "That conversation is supposed to have been happening since 1996, but it's still not happening," she said. "We have all these tools out there, but until we have this conversation, nothing can happen."

Evans also suggested another shift in approach: While consistency might be lacking in policy and governance, other sources -- including audits and inspector general reports -- can be effective in getting through to decision-makers.

"The things that senior leadership does respond to are GAO reports [and] IG reports, and in private industry the audit committee is the most powerful on any board," Evans said.

Those audits and reports can be essential in identifying gaps in an agency's security stance, and as a result can supplant outdated or cumbersome directives with more effective guidance.

Cybersecurity is "now being brought into the audit committee because that's what leadership looks at – they look at the results of an audit," Evans said. "And so what some of us think needs to happen is the IGs in the government monitoring against that. They do the evaluation from that point and that becomes the baseline of the agency from an independent evaluation."

Still, that can mean a significant departure from the status quo, something that is difficult to do – and a major factor in why those changes have not happened yet.

"In government, in my experience, you have to bring people along to effect change and it's a long process," said Richard Spires, former Homeland Security Department CIO. "Before you can get it done, things change out from under you. Leadership changes, some new dynamic happens and then you find yourself back at square one. I think those changing dynamics can be a big reason why we don't have these sophisticated" processes.

About the Author

Amber Corrin is a former staff writer for FCW and Defense Systems.


  • Congress
    U.S. Capitol (Photo by M DOGAN / Shutterstock)

    Funding bill clears Congress, heads for president's desk

    The $1.3 trillion spending package passed the House of Representatives on March 22 and the Senate in the early hours of March 23. President Trump is expected to sign the bill, securing government funding for the remainder of fiscal year 2018.

  • 2018 Fed 100

    The 2018 Federal 100

    This year's Fed 100 winners show just how much committed and talented individuals can accomplish in federal IT. Read their profiles to learn more!

  • Census
    How tech can save money for 2020 census

    Trump campaign taps census question as a fund-raising tool

    A fundraising email for the Trump-Pence reelection campaign is trying to get supporters behind a controversial change to the census -- asking respondents whether or not they are U.S. citizens.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.