Cybersecurity

Officials talk candidly about workforce cyber hygiene

Placeholder image<p> for article template

Cyber experts from both the public and private sector say better governance and more accountability in the federal workforce are needed in order to improve cybersecurity.

National Institute of Standards and Technology Fellow Ron Ross said the bigger problem "is a governance issue; it's about leadership ... I think we have to turn the corner at some point and start to take a hard look at what we are doing and see what we can do better." Ross spoke at an April 25 event hosted by the Institute for Critical Infrastructure Technology's in Washington.

A household name in the cybersecurity arena, Ross said that, given the size and scope of databases that are now common, it is essential to have that accountability factor. In the case of the Office of Personnel Management, for example, he argued that the breach might have been avoided if there was a better structure governing who the authorizing officials are for systems usage.

ICIT Fellow Dan Waddell added that there needs to be more resources devoted to cybersecurity training for the workforce. "Systems need patching, but people need patching too," he said. And such training can't be limited to the tech specialists, he stressed; getting employees in other departments to internalize good cyber hygiene makes them a greater asset to the organization. It's "not just educating the cyber workforce," he said.

As awareness of the threats posed to agency networks continues to grow, and lawmakers continue to pass more legislation aimed at protection, it adds another level of spotlight on the topic. Thomas Boyden, also an ICIT fellow, said that visibility is another important reason not to risk the "keys to the entire kingdom" by granting even legitimate users unnecessarily broad access. Even within private industry, he said, compartmentalizing access is still a hard shift.

Ross stressed during the event that changing the culture at agencies is integral to the overall success, and challenging institutional bureaucracy is just as important because "those are things that are going to bring you down faster."  And he and his NIST colleagues have been working on Special Publication 800-160 to help encourage such evolutions.  The approximately 300-page document, scheduled to be published for public comment on May 4, explores how agencies can improve their security posture no matter what stage of the lifecycle their systems are in.

"Systems engineering and security engineering [are] a worldwide problem," Ross told FCW after the event. "Therefore the solutions are going to involve government, industry, and academia, and the not-for-profits, all in this great partnership working together to try to really solve this problem once and for all."

"The whole purpose of this document is to give people flexibility no matter where they are in lifecycle to do things that are going to help them be more secure and build systems that are more trustworthy," he said.

About the Author

Aisha Chowdhry is a former staff writer for FCW.


Featured

  • FCW PERSPECTIVES
    sensor network (agsandrew/Shutterstock.com)

    Are agencies really ready for EIS?

    The telecom contract has the potential to reinvent IT infrastructure, but finding the bandwidth to take full advantage could prove difficult.

  • People
    Dave Powner, GAO

    Dave Powner audits the state of federal IT

    The GAO director of information technology issues is leaving government after 16 years. On his way out the door, Dave Powner details how far govtech has come in the past two decades and flags the most critical issues he sees facing federal IT leaders.

  • FCW Illustration.  Original Images: Shutterstock, Airbnb

    Should federal contracting be more like Airbnb?

    Steve Kelman believes a lighter touch and a bit more trust could transform today's compliance culture.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.