A special edition of GovLoop’s DorobekINSIDER today. We're LIVE! It's the 11th time we’ve met and we are doing this at least once each month this year. The idea is simple: get smart people together and share ideas because we believe that the real power of information comes when it is shared.
Cyber-security has always been a huge issue for government and technology, but as we become more dependent on technology to do well, pretty much everything, the threats have changed and evolved. The technology that we are using is changing and evolving. Cloud, mobile, BYOD, who would guess the government would be talking about BYOD. And agencies have to do all of that in the do-more-with-less environment.
So how do you navigate this complicated tightrope? We brought together a panel of experts to help.
Ron Ross, Fellow at the National Institute of Standards and Technology’s Information Technology Laboratory’s Computer Security Division
W. Hord Tipton, Executive Director of (ISC)², the cyber-security education and training organization. Hord has served in a number of key posts, including as the chief information officer for the Interior Department.
Quentin Hodgson, Chief of Staff, Cyber Policy at US Department of Defense Director, Cyber Planning, Operations and Programs, CIV OSD OUSD Policy
- Patrick Fiorenza, Senior Research Analyst, GovLoop. Pat also wrote the new GovLoop Guide on Cybersecurity: Winning the Cybersecurity Battle.
"90% of GovLoop survey respondents said they were unprepared for a cyber attack," said Fiorenza. That is a startling statistic.
What's the current state of cyber?
Ross: In the past four years we have done a lot to improve our cybersecurity tools and requirements. We know have a strong cybersecurity toolbox. The problem is how do we apply the toolbox in the enterprise? Right now we are not integrating our cyber folks into the acquisition process. So we end up playing whack-a-mole. We end up trying to fix security problems on the backend instead of creating strong security procedures from the beginning. If cyber folks are in the process earlier our enterprise will be more secure. This is a cultural problem.
Tipton: It is important to remember that there are no guarantees. The real concern is that there is a huge skills gap. Research shows that there are 300,000 cyber jobs that we need. We don't have the people. It will only get worse if salary and satisfaction continues to drop for government workers. We will not be able to recruit the best under those circumstances.
Hodgson: The question we need to be asking is what is the right level of cybersecurity investment? Cyber is sort of like buying insurance, you know you need it, but you really don't know how much coverage you need. Should you expect a disaster? Are you ready? That's where risk management comes into play. At the DOD we have to ask ourselves what will it take to continue to do missions. We need to create a value chain. Where we are able to prioritize.
Ross: Right now we have a culture that is focused on reacting. But we are bringing in all these new devices. Tablets. Smartphones. We are creating an environment with unlimited complexity. We can't expect all of these devices to be secured in the same way. We need to make some course corrections.
Tipton: We could solve a lot of the vulnerabilities if we could simply fix the 80% of the easy problems. Right now we can't even discover all of our attacks. 50-70% of our attack discoveries come from 3rd parties.
Ross: More security and privacy controls will not fix the problem. The areas that are critical to survival have to be categorized differently. We have to prioritize security on a low, medium and high level. Then we have to take that level and apply the best security to the highest priorities.
Hodgson: Devices have been showing up at a tactical level. Palm Pilots and Blackberries have been around for more than a decade. But now we have to figure out how to make things portable without having to add 20 pounds of hardware.
For more on the training needed for cyber pros. Click here.
Also check out GovLoop's Cyber Guide.