Charles Denyer has worked for the Department of Defense and for 17 U.S. and international intelligence agencies, either directly or as a consultant, for most of his professional career.
That’s why he’s skeptical of recent federal directives ordering U.S. agencies to immediately patch known software vulnerabilities, such as the recent open-source Log4j hack. The directives require patching to take place in a matter of weeks or months.
Denyer, who advises business leaders on cybersecurity, cyber hygiene practices, and compliance issues, says federal agencies “are harder [than private enterprises] to correct and manage. The approval process for security tools and solutions, and the implementation process, is painstakingly slow and bureaucratic.”
Adding to these troubles, federal agencies are in the midst of a cybersecurity brain drain, losing talent to better-paying roles in the private sector. (By one estimate, 36,000 public-sector cybersecurity jobs remain unfilled, including 1,700 positions at the Department of Homeland Security alone.) That means fewer experts to deal with the government’s complex network infrastructure and often outdated legacy tools and systems. Watchdogs have given failing grades to these systems for years.
“I’m not sure leaders understand the problem,” says Nichoel Brooks, director of federal service at consultancy Optiv Security and a former U.S. Army colonel who headed up intelligence modernization. “It goes back to visualizing that problem. The result for federal agencies is an insufficient number of people to get everything done, even in the best of circumstances.”
As agencies retool their hiring efforts and declutter their tech stacks, they can take three cyber hygiene steps right now to gain greater visibility and secure their networks.
1. Make sure you can monitor and scan the entire IT environment
Each federal agency is unique. But they all share the same Achilles’ heel: a disparate IT environment of new and old systems, spread across on-premises and cloud-based platforms. What’s more, unmanaged endpoints have sprouted along with the massive shift to working from home. That, in turn, has clouded network visibility. After all, it is impossible to manage and protect what organizations cannot see.
And plenty of cybersecurity and IT professionals are flying blind. Some 75% of IT leaders surveyed by PwC for its 2022 Global Digital Trust Insights Survey report too much complexity in their technology, data, and operating environments, hindering their ability to monitor networks in real time. A complex and opaque environment hinders agency efforts to meet federal directives.
Federal agencies [have] an insufficient number of people to get everything done, even in the best
Real-time scanning of networks and endpoints, and thus improved security detection, requires more than just bodies to watch for alerts. “No human being can do that,” says Andrew Plato, a 25-year security pioneer and CEO of professional services firm Zenaciti. “It’s an utterly impossible task for one person or a hundred. It’s beyond the cognitive ability of humans.”
Embedding automation and artificial intelligence into monitoring can help—with software that can look for unusual patterns of behavior and not just for existing signatures of known attacks and vulnerabilities—and then alert people in an organization’s security operations center.
“You have to deploy technology and automation that can scan in real time, provide detection, so the humans can go back and go through it,” explains Plato. That still requires enough people to respond, which means federal agencies must commit to training, retaining, and rewarding people.
2. Consolidate data into platforms and ecosystems
Legacy systems rely on too many siloed point solutions. They do not always work well together or share the same view of the network.
“Tool sprawl” plagues organizations. In one survey, 55% of IT decision-makers reported using 20 or more tools between security and operations, with 70% saying these tools lack full integration. A profusion of loosely coupled point solutions creates added cost and complexity that end up hindering an organization’s ability to detect and respond to breaches.
Organizations must unify the team’s core operations and security capabilities within a single platform. This platform must give every member of the team the same comprehensive, real-time view of their environment and extend its functionality through an ecosystem of streamlined solutions that work well with one another.
One federal standard, Managing Information Security Risk (NIST SP 800-39), requires “an integrated, organization-wide program for managing information security risk to organizational operations…organizational assets, individuals, other organizations, and the nation resulting from the operation and use of federal information systems.” Effective risk management, it says, requires a broad scope, taking into account three tiers of risk: an organization’s mission and strategies, its business processes, and its individual IT systems.
By consolidating their point tools into platforms and building interoperable ecosystems, teams can lower the number of tools they need, reducing their costs, complexity, and risks. They can also reduce the number of interfaces they use for their security functions, and minimize the complexity, overhead, and friction between teams that must work together to secure the organization. In the process, they create a single comprehensive source of truth about their network, improve their tool utilization and effectiveness, and increase the return on their investments.
3. Integrate zero trust across the entire IT infrastructure
Finally, organizations must put in place a zero-trust strategy, perhaps the most difficult aspect of the federal directives. Zero trust isn’t just a technology, says Plato at Zenaciti. “You can’t take an ancient architecture and slap zero trust on it—you break everything,” he says. “That’s not something the highest paid team at Google is going to do in 90 days.”
You can’t take an ancient architecture and slap zero trust
on it—you break everything.
Zero trust is an entirely new architecture and way of managing IT infrastructure. You can’t just buy a zero-trust product, Plato says. You have to integrate the approach into everything—all in an environment in which agencies don’t necessarily coordinate well and insist on “their own system integrators and their own platforms.”
Most organizations that excel at zero trust ultimately realize it is not a state of perfection. Rather, security is a destination. It’s a process. It’s something to aspire to.
But it’s something that the government can accomplish. “The reason I think the executive order has a great chance of happening is that it’s largely in the realm they control,” says Eric Noonan, CEO of CyberSheath Services and a former CISO for BAE Systems. “It’s not breaking new legal ground.”
Noonan says the directives may not happen on the administration’s absolute timeline. Instead, “they’re all intended to move the ball forward,” he says.
Ultimately, agencies that act with urgency to put in place the right systems and strategies will fare far better at keeping the bad guys away from sensitive government systems and data.