Johnson: A hard lesson we learned about a year ago is becoming too reliant on the technology, falsely believing that the investments we had made in technical controls was providing adequate protection. Although we’ve made significant changes and improvements in our technical controls over the past year, the biggest changes have been in how we organize and govern our cyber program, nearly a three-fold increase in staff dedicated to cyber analytics and response, and increased formalization of processes for risk assessment, control planning, control testing, and incident response.
InformationWeek: What's the true effectiveness of security audits (paper compliance versus real value)?
Johnson: As a government contractor, we don't expect paper compliance audits to go away anytime soon. In any year, PNNL gets audited by three or four different Federal entities. To get real value, though, we have increased our use of "war gaming" to test our controls and, more importantly, our cyber analytics team's ability to detect and respond.
InformationWeek: Where is security today, versus where it needs to be?
Johnson: In the past, cyber security focused on protecting network borders, whether between the corporate network and the Internet, or between Intranet security partitions, using bastion firewalls and strong authentication. Today, the move has been to protecting information containers -- workstations, servers, portable media -- using end-point protection solutions. In the future, we need to focus on protecting the information itself -- automatically identifying and protecting sensitive information, using data rights management technology.
InformationWeek: How has the threat changed?
Johnson: We're now seeing well-funded organized crime and nation-state attacks. "Defense in depth" concepts are generally working and frontal assaults are decreasing. Instead, attacks are launched from the inside via spear phishing and social engineering against unwary users. Attacks can be zero-day, but more often than not are exploits against known, but unpatched, vulnerabilities.
Once a single workstation is exploited in this manner, the outside threat is now an insider threat and the challenge becomes one of detection and containment. Detection is difficult -- these well funded adversaries are patient and work low and slow. Containing their ability to move around your internal network, therefore, becomes critical. And, as you can imagine, containing movement around your internal network hurts productivity. It's a nasty cycle.
InformationWeek: In today's cost-constrained environment, how does one spend effectively on security?
Johnson: Gartner benchmarks that companies in corrective mode spend 7% to 8% of their IT budget on cyber security, and 3% to 4% in steady state. I think the steady state numbers are too low, as we see these "cyber-healthy" organizations periodically cycle back to being unhealthy and having to invest at the 7% to 8% level again. At PNNL, we are targeting a steady state of around 6%, and will monitor how we perform cyber-wise at that spend level.
InformationWeek: Are there things you just have to leave on the table?
Johnson: Of course, we all live with finite resources. Using our risk-based approach, we focus first on the high risk threats and vulnerabilities, and work the lower risk ones as time and resources permit.
Here's a video of the InformationWeek500 security panel:
For Further Reading:
My NetworkComputing blog: Cybersecurity Challenge: Is Your Network Safe? (Probably Not);
Another NetworkComputing post: Crypto Key Management Is Next Wave In Net Security;
What's your take? Let me know, by leaving a comment below or e-mailing me directly at [email protected].
Follow me on Twitter: (@awolfe58)
Alexander Wolfe is editor-in-chief of InformationWeek.com.
Missed the InformationWeek 500 Conference? See the best of the event, including a keynote by Federal CIO Vivek Kundra and panels with top C-level executives, on the them of Navigating The Boardroom: What Do You Bring To The Table? Click the link to register and immediately access an on-demand replay.