Cybersecurity's secret sauce: audits?

Every government agency seeks the elusive "secret sauce" for cybersecurity -- the right combination of defenses, policies and people that create the best position against cyberattacks. But too often, the pursuit becomes mired in compliance and the complexities that comprise today's congested cyber landscape.

Most experts agree that much needs to change in terms of federal cybersecurity, including a wholesale shift in approach that better integrates agility, continuous monitoring and a broader team beyond just IT, according to former top officials speaking Oct. 10.

"We need to get away from this compliance-focused approach to cybersecurity and mature that entire process to adapt to the changing threats and a changing landscape," said Earl Crane, former White House national security adviser for cybersecurity policy now at Promontory Financial Services. "Trying to do that with a checklist-based model isn't achievable."

Crane spoke as part of a panel at an Association for Federal Information Resources Management event in Washington, D.C.

Much of the new-age approach to cybersecurity that experts encourage centers on continuous monitoring and risk management, buzzwords that so far are tough to find within official governance. Crane and others argue that those changes are overdue, along with some others that date back to the 1996 enactment of the Clinger-Cohen IT management reform legislation.

"I don't think that merging of the CIO, CFO [and] deputy secretary has happened to the extent that it should be," said Karen Evans, national director of the U.S. Cyber Challenge and former Office of Management and Budget administrator.

There is, she said, a conversation that is largely not taking place, one about how investment priorities, risk tolerance and contingencies support an agency's primary mission. "That conversation is supposed to have been happening since 1996, but it's still not happening," she said. "We have all these tools out there, but until we have this conversation, nothing can happen."

Evans also suggested another shift in approach: While consistency might be lacking in policy and governance, other sources -- including audits and inspector general reports -- can be effective in getting through to decision-makers.

"The things that senior leadership does respond to are GAO reports [and] IG reports, and in private industry the audit committee is the most powerful on any board," Evans said.

Those audits and reports can be essential in identifying gaps in an agency's security stance, and as a result can supplant outdated or cumbersome directives with more effective guidance.

Cybersecurity is "now being brought into the audit committee because that's what leadership looks at – they look at the results of an audit," Evans said. "And so what some of us think needs to happen is the IGs in the government monitoring against that. They do the evaluation from that point and that becomes the baseline of the agency from an independent evaluation."

Still, that can mean a significant departure from the status quo, something that is difficult to do – and a major factor in why those changes have not happened yet.

"In government, in my experience, you have to bring people along to effect change and it's a long process," said Richard Spires, former Homeland Security Department CIO. "Before you can get it done, things change out from under you. Leadership changes, some new dynamic happens and then you find yourself back at square one. I think those changing dynamics can be a big reason why we don't have these sophisticated" processes.