Officials talk candidly about workforce cyber hygiene

Placeholder image<p> for article template

Cyber experts from both the public and private sector say better governance and more accountability in the federal workforce are needed in order to improve cybersecurity.

National Institute of Standards and Technology Fellow Ron Ross said the bigger problem "is a governance issue; it's about leadership ... I think we have to turn the corner at some point and start to take a hard look at what we are doing and see what we can do better." Ross spoke at an April 25 event hosted by the Institute for Critical Infrastructure Technology's in Washington.

A household name in the cybersecurity arena, Ross said that, given the size and scope of databases that are now common, it is essential to have that accountability factor. In the case of the Office of Personnel Management, for example, he argued that the breach might have been avoided if there was a better structure governing who the authorizing officials are for systems usage.

ICIT Fellow Dan Waddell added that there needs to be more resources devoted to cybersecurity training for the workforce. "Systems need patching, but people need patching too," he said. And such training can't be limited to the tech specialists, he stressed; getting employees in other departments to internalize good cyber hygiene makes them a greater asset to the organization. It's "not just educating the cyber workforce," he said.

As awareness of the threats posed to agency networks continues to grow, and lawmakers continue to pass more legislation aimed at protection, it adds another level of spotlight on the topic. Thomas Boyden, also an ICIT fellow, said that visibility is another important reason not to risk the "keys to the entire kingdom" by granting even legitimate users unnecessarily broad access. Even within private industry, he said, compartmentalizing access is still a hard shift.

Ross stressed during the event that changing the culture at agencies is integral to the overall success, and challenging institutional bureaucracy is just as important because "those are things that are going to bring you down faster."  And he and his NIST colleagues have been working on Special Publication 800-160 to help encourage such evolutions.  The approximately 300-page document, scheduled to be published for public comment on May 4, explores how agencies can improve their security posture no matter what stage of the lifecycle their systems are in.

"Systems engineering and security engineering [are] a worldwide problem," Ross told FCW after the event. "Therefore the solutions are going to involve government, industry, and academia, and the not-for-profits, all in this great partnership working together to try to really solve this problem once and for all."

"The whole purpose of this document is to give people flexibility no matter where they are in lifecycle to do things that are going to help them be more secure and build systems that are more trustworthy," he said.

About the Author

Aisha Chowdhry is a former staff writer for FCW.


  • Contracting
    8 prototypes of the border walls as tweeted by CBP San Diego

    DHS contractors face protests – on the streets

    Tech companies are facing protests internally from workers and externally from activists about doing for government amid controversial policies like "zero tolerance" for illegal immigration.

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    At OPM, Weichert pushes direct hire, pay agent changes

    Margaret Weichert, now acting director of the Office of Personnel Management, is clearing agencies to make direct hires in IT, cyber and other tech fields and is changing pay for specialized occupations.

  • Cloud
    Shutterstock ID ID: 222190471 By wk1003mike

    IBM protests JEDI cloud deal

    As the deadline to submit bids on the Pentagon's $10 billion, 10-year warfighter cloud deal draws near, IBM announced a legal protest.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.