What's next for agency cyber efforts?

Ninety days after the Trump administration's executive order, FCW sat down with agency cyber leaders to discuss what’s changing.

Participants from FCW's March 23, 2017, roundtable discussion on CDM

When the White House issued its long-awaited executive order on cybersecurity in May, it formalized what many in government had long argued was necessary: adopting the National Institute of Standards and Technology’s Cybersecurity Framework and embracing enterprise risk management at every agency.

FCW gathered cybersecurity leaders on Aug. 9 — 90 days after the cyber order was issued and the date by which agencies were required to submit a written response to the Office of Management and Budget regarding their new risk assessments — and asked them to discuss their experiences to date. The discussion was on the record but not for individual attribution (see below for a list of participants), and the quotes included below have been edited for length and clarify. Here’s what the group had to say.

Big changes or paving the cowpaths?

Most participants said President Donald Trump’s May 11 executive order didn’t tell them anything they didn’t already know, but they still praised it for making cybersecurity’s importance clear governmentwide.

“We had already codified things such as the security framework as to ways we were moving forward,” one security executive said. “We’ve had maybe validation but no impact from the executive order at this time.”

She added that “we were already moving down that path. Because of that, I fully endorse what they’re doing.”

Another participant, whose agency was perhaps not quite so far along, agreed that “most people who were doing strategic planning within their agencies were fully cognizant” that different approaches were needed.

“Whether you talk about the need to prioritize cyber investments based on high-value assets or some other algorithm,” he said, “it was becoming very obvious because the number of dollars needed is ginormous. And agencies have mission activities that they need to do, so you can only compete so much for those funds.”

He added that “the recognition that we need to modernize the network structure is kind of also a self-evident truth. This is a core, systemic problem that exists, and…it is now recognized that modernizing the infrastructure is absolutely critical in order to solve our cyber problems because we can’t keep patching.… That was also intuitively obvious, but many things that are intuitively obvious aren’t really intuitively obvious until someone puts them into a formal document and says, ‘This is what’s going on.’”

That affirmation of generally held best practices also poses a bit of a risk for agencies that have already embraced them.

“What I see in the order is a lot of the same things that we’ve seen in the past, just stated in a different way,” one executive said. And like most guidance, the executive order and OMB’s implementation memo came with the unspoken assumption that “you weren’t doing it before.”

That executive’s agency — a Cabinet-level department — took care to establish a clear baseline for each of the five core activities in the Cybersecurity Framework. In its submissions to OMB, the agency showed “where we have made significant accomplishments in the past,” he said. “And because of those accomplishments, we’re going to move and build on those to move to the future.”

He added that “we do not want to give anybody, especially OMB, the impression that…we’re not continually improving and reviewing our cybersecurity posture.”

FCW Perspectives

Participants

George “Dennis” Bartko
Director, Capabilities Development Group, CIO, U.S. Cyber Command

Ibrahim Beshir
Information System Security Officer, State Department

Deborah Dement
Cybersecurity Analyst, Naval Air Systems Command, U.S. Navy

Abby Famoriyo
Information System Security Officer, Department of Housing and Urban Development

Ross Foard
CDM ICAM SME and Phase 2 Engineer, Department of Homeland Security

Laura Gerhardt
Technical Lead and Developer, Technology Transformation Service, General Services Administration

Colin Han
Information Security Specialist, Food and Drug Administration

Thresa B. Lang
Deputy Director, Navy Cybersecurity Division/DDCIO-Navy, Department of the Navy

James J. Quinn
Lead Systems Engineer, Continuous Diagnostics and Mitigation Program, DHS

Daniel Stein
Program Director, National Cybersecurity Training and Education Program, Cybersecurity Education and Awareness Branch, Stakeholder Engagement and Cyber Infrastructure Resilience Division, DHS

Shue-Jane Thompson
Vice President and Partner, Cyber Security and Biometrics, Global Business Services, IBM

Rod Turk
Acting CIO and Chief Information Security Officer, Commerce Department

Note:FCW Editor-in-Chief Troy K. Schneider led the Aug. 9 roundtable discussion. The gathering was underwritten by IBM, but the substance of the discussion and the recap on these pages are strictly editorial products. Neither IBM nor any of the roundtable participants had input beyond their Aug. 9 comments.

 

Another participant, however, said the order had already served as a valuable forcing mechanism for collaboration. “This was a great avenue to bring all different departments within the agency together to say, ‘Hey, how do we work together to respond to this EO? Because we can’t do it by ourselves, and if we want to be successful, we have to work together.’”

And virtually all the participants agreed that the cyber executive order was different from others in that it clearly explained the thinking behind the changes.

“They actually did attempt to provide background as to why they thought this thing needed to be addressed,” one participant said. “It was actually the first time, rather than just having a ‘You shall do.’”

Another participant praised OMB for acknowledging that some tactics — like Trusted Internet Connections — might not be the best approach now that the strategy has shifted from data center consolidation to “cloud whenever possible.”

“It is kind of unique for the government to say, ‘We choose to go down Path A, but we realize the world has changed,’” he said.

Culture still comes first

Several participants said the order’s message is important because so many people in the government still see cyber as a compliance exercise.

“You’ve got to go through the cultural shift first,” one said. “That’s essentially the pivotal change that has to occur because I don’t need to collect a whole bunch of data to fill out a compliance checklist.”

There are real operational challenges, the group said. For instance, cloud technology complicates asset methodology and the idea of attack surfaces. “But those are things that we can evolve to,” one executive said — unless “everyone still falls back on ‘security is compliance.’… You’ve got to change the overall approach to cybersecurity to be a much more proactive game that says you continuously have to be ready to do things because the threats are evolving.”

Many mission leaders and top agency officials still struggle to think about cybersecurity in this way, participants said, but several added that the NIST framework was making that education process easier.

“No one will ever say it’s simple,” one executive said. But the five basic levels — identify, protect, detect, respond and recover — make the framework “highly consumable by an executive understanding the complexities of the cybersecurity question.”

“You only have five words to work with,” he added. “You can build a great story around those five words that really resonates with the front office.”

Ultimately, another executive said, the challenge comes down to turf. “Every time I looked at an agency that was serious about doing consolidation or aggregation or modernization, it’s not finding the assets to do it that’s the challenge,” he said. “The hard part is the geopolitical effects to the agency in terms of human resources, organizational construct and who’s operating these systems.”

Accountability changes everything

The executive order’s declaration that agency leaders are directly responsible for cybersecurity is a big deal, most participants said. Although there have been few public signs of that shift, one executive said that for her agency, “it meant a complete change in everything.”

“This wasn’t just our CIO,” she said. “This was the top boss who said, ‘Cybersecurity: big deal, pay attention.’ It led us to change the actual structure of the organization.… The ability to move resources and to change the actual structure of the organization is huge.”

Another executive elaborated on what those changes look like. “If I knew that if I can’t accomplish that mission objective without having systems be secure, then I may restack the priority deck on where the assets are going. I may reallocate funding and reallocate effort — and it’s making that risk management decision at that top level.”

That accountability trickles down, several participants said. “When the most senior leaders are accountable, that means that the leaders under them are also accountable. In every one of my domains, every one of those leaders has to go to the top executive and say, ‘This is what I’ve done in the last six months in each one of these categories in the framework.’ This is the maturity that we are measuring.”

Such accountability is also encouraging collaboration, another participant said. “There are some efforts going on now where several of the departments are coming together at the CISO level to actually sit down and talk about common ways that we can solve some of these problems,” he said.

“There are varying levels of security maturity when you look at some of these initiatives,” the executive added. “Those agencies that are more mature have some significant lessons on how they do this. I want to see what they are because, frankly, I don’t want to have to relearn them. And on the converse, if somebody else needs the ideas that we’ve already worked through, we’re more than happy to share those.”

Another participant said the different initiatives — IT modernization, the president’s management agenda, data center optimization and other cross-agency priority goals — are increasingly coming together as a coherent set of components for the broader mission of cybersecurity.

“I like the idea that we’re getting all levels of input on this,” he said. “I think it does raise the level and turns up the heat a little bit for the CISOs and the CIOs. But the benefit to that is that you get the interest level from the top.”

Making the budget case

Buy-in, however, is not the same as actually having the dollars with which to buy. “This is the question of the ages,” one participant said. “What is the value of one more dollar of cybersecurity spend?”

He added that “it’s almost like proving the negative, trying to defend your cybersecurity dollar. It’s an insurance policy, and trying to sell that insurance policy is often very, very difficult.”

“I don’t think everything’s a dollar-based decision anyway in this world,” another participant said. “That’s part of the challenge. A lot of these risks that we see could be existential to your organization, and there’s no amount of insurance that you can purchase to thwart that risk.”

Another participant, however, cited economic research that suggests a 1 percent increase in new IT spending generally results in a 5 percent decrease in security breaches. “So you can communicate that pretty easily to your CFO without having to reinvent those metrics,” she said.

And with IT modernization still an unfunded aspiration, improved security is going to have to be paid for by the programs themselves, participants agreed.

“I think you don’t have a choice,” one executive said. “Whatever assessment you need to do at the end of the day, you budget for that right upfront in the program. If you’re doing agile development, you create standards of what you want to be doing, and you hold the program accountable to the standards.”

Such an approach not only sources dollars, he said, but also saves them while incorporating security at the beginning, where it belongs. “You’re paying for it right upfront in the program, and it’s not an add-on so you don’t have to go back later,” he added. “It’s done and it’s completed — and it’s a lot cheaper.”

The need for speed

As those last points suggest, the group viewed DevOps as a critical tool for breaking the cycle of outdated and insecure systems.

“There’s been a lot of good strategy with respect to what you can do for cybersecurity,” one participant said, “but the speed of implementing has been so, so slow that as a result, the risk changes before you can get that strategy in.”

“Somehow we forgot that time is important in the work we do,” another executive said. “We built in these delays thinking we were gaining assurance when we actually are reducing the reliability of the system.”

“You need to be able to identify vulnerabilities at the system level,” another participant said, “and be able to remediate and push out that patch in hours or minutes — not days or weeks…. There are big legacy systems out there with known vulnerabilities for years. That kind of cycle time is just unacceptable.”

That participant also argued that cloud services — and especially platform-as-a-service offerings — can dramatically improve an agency’s security posture.

“If you’re looking at FedRAMP solutions, they’re already meeting the FISMA compliance burdens,” she said. “So that replicability and automation [are] built into the process.” Agencies can push those activities onto the cloud service provider and focus on mission-specific security “rather than everything under the sun.”

A different take on the workforce challenge?

Finally, a handful of the participants argued that the executive order’s biggest impact might actually involve the workforce.

One executive said that “until now, there had been the sense that the workforce is important, but not nearly as important as this, this, this and this. Now that we have the reality that the cybersecurity workforce is not necessarily up to the standards of other either friendly or competitor nations, that puts it into the context of national security.”

Another said that although the order doesn’t say so explicitly, it “suggests that an awareness of cybersecurity careers is becoming more of a requirement for the public to know about it.”

A third argued that the real challenge is not growing the pipeline of cyber specialists to bolt on solutions at the end but rather instilling the technology creators with cyber awareness. “Until the designers and the developers get into that mode, we’re always going to be behind,” he said.

A fourth participant, meanwhile, pointed to a very different workforce challenge. “Everybody complains about how we don’t have cybersecurity technical people,” he said. “But I submit to you that if you don’t have a couple people in your organization who know how to speak, know how to write, know how to do finances, you’re going to lose.”

He added that “the typical cybersecurity scientist is going to be talking in bits and bytes. Put them in front of the CFO — forget about it. The CFO is not going to have a clue, and you’re not going to get your money.”

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.