Commentary: Cybersecurity requires buy-in from the top
By Chris Wilkinson
Successfully securing networks against cyber threats requires support from the top — not only from the IT staff, but from C-level executives as well. Network monitoring, patching or purging outdated software and hardware, communications, and coordination are essential for good risk management policies and practices.
A recent seminar sponsored by immixGroup, Bit9, Hewlett-Packard Enterprise Security, and Sourcefire featured cybersecurity experts from government and industry who explored the factors that contribute to a federal agency’s ability to assess and anticipate threats as well as mitigate risk.
To start with, agencies must “push cybersecurity ownership up” the management ranks within the organization, said Gil Vega, the Energy Department’s associate chief information officer for cybersecurity and chief information security officer. At Energy this meant creating a risk management executive body that included senior executives and undersecretaries. Initiating meaningful cybersecurity practices required sharing the responsibilities of risk management decisions, Vega said.
He recommended taking inventory of endpoints and patching applications and operating systems. Network surveillance and incident response are critical activities as well, he noted. Sharing information is vital. Energy distributes threat information departmentwide and a joint cybersecurity coordination center ensures appropriate communication among the stakeholders.
Energy is implementing a number of lessons learned from previous cyber event experiences:
— Avoid putting too much stock in a layered defense or a multilevel security environment. Let go of “minority technologies” that are languishing and creating vulnerabilities.
— Monitor cyber events around-the-clock. Most occur over long holidays, Vega said, leading him to “rue holiday weekends.”
— Maintain core forensic capabilities.
— Keep a senior project manager on response teams to help coordinate all activities. This improves response times.
— Be prepared to call for help from bureaus and other agencies. Don’t be afraid to acknowledge that there has been an attack. Use this communication to gather the necessary resources.
— Develop an emergency communications continuity of operations plan. This will enable you to talk, coordinate and collaborate effectively across long distances in the hours and days following a major event.
Donna Dodson, chief of the computer security division and deputy cybersecurity adviser for the National Institute of Standards and Technology, underscored the importance of patching older systems. She cautioned, however, that some legacy systems and applications are so wedded to an organization’s day-to-day operations that tremendous resources will be required to purge them. “Recognize it’s going to be a big but critical problem to resolve,” Dodson said.
Managers also must consider the information to be protected as well as infrastructure, she said. In terms of strategy, Dodson recommended agency leaders start by assessing vulnerabilities and establishing security automation guidelines for continuous monitoring.
“Continuous monitoring is very powerful,” she said, adding that it is important to take inventory of potential vulnerabilities and to put techniques in place to address them.
In the coming months, Dodson said, NIST will issue major revisions to cloud and mobile guidelines included in Special Publication 800-53, which recommends security controls for federal IT systems and organizations.
Heeding the advice of these experts will improve an agency’s preparedness in the event of a cybersecurity event.
Chris Wilkinson is senior manager of cybersecurity technologies with immixGroup, which helps technology companies do business with the government.