Cybersecurity Should Be Chess, Not Checkers - InformationWeek
IoT
IoT
Government // Cybersecurity
Commentary
9/29/2017
09:00 AM
Will Ash, Senior Director of Security, U.S. Public Sector, Cisco
Will Ash, Senior Director of Security, U.S. Public Sector, Cisco
Commentary
50%
50%

Cybersecurity Should Be Chess, Not Checkers

Cybersecurity initiatives for government agencies -- in fact, other organizations, too -- have to be proactive and iterative.

According to the US Office of Management and Budget, federal agencies reported 30,899 cybersecurity incidents to the Department of Homeland Security last year. Threats are evolving across multiple vectors as the number of potential entry points expands exponentially with the proliferation of connected devices and the Internet of Things (IoT). IHS Markit predicts that the number of connected devices will increase from 15.4 billion in 2015 to 30.7 billion by 2020, and 75.4 billion by 2025.

Last fall, the Mirai botnet recruited connected devices such as webcams and DVRs to disrupt websites including Spotify, Twitter, and PayPal. Also last year, white hat security researchers demonstrated how to execute a ransomware attack on smart thermostats, and cyberattacks on the Ukraine electric grid have been carried out over the past two years.

Given this new world of connected devices and sensors, cyber hygiene can no longer be limited to basic endpoint security, firewalls, and dual-factor authentication. Public sector agencies need strong security strategies that fit into their organization’s broader digital plan.

Need to develop a cyber plan, but strategically

Cisco’s 2017 Annual Security Report found the majority (54%) of public sector organizations still take a project-based approach to purchasing security solutions. On the other side, public sector lags behind private sector in taking an enterprise architecture approach to cybersecurity purchasing – just 28% of agencies compared to 38% of private sector organizations.

This delta indicates that most public sector cybersecurity decisions are being driven by reactions to security incidents rather than by a proactive, strategic approach that’s part of a larger security plan.

Agencies that aren’t incorporating security into their IT strategy at the ground level are essentially playing checkers (reactive) when today’s environment requires you to be playing chess (preemptive). Truly effective cybersecurity requires an integrated, flexible architecture with an approach that balances all the elements – technology, processes, and people.

Embracing secure technology

Last year, NIST introduced Special Publication 800-160: Systems Security Engineering. The new guidelines emphasized that security must be engineered – built in – to IT software and connected devices from the beginning, rather than “bolted on” later.

Four aspects of systems engineering that would enhance security for agencies include:

  • Designing IoT devices that force consumers to change the default passwords as soon as they are connected to the network
  • Encouraging public-private partnerships among agencies and industry security providers to monitor for and stop unusual traffic among network devices
  • Eliminating hardwired security credentials that could provide a “back door” to hackers
  • Enabling remote updates and patches

But incorporating security technologies cannot be just an afterthought. Rather, security needs to be a part of the strategic digital plan rather than an impulse response to the latest breach.

Developing and refining processes

NIST’s revised 2017 Cybersecurity Framework notes its very definition of “risk management” is the “ongoing process of identifying, assessing, and responding to risk.”

The key phrase here is “ongoing process” – a continual journey of measuring, evaluating, and refining systems and protocols to ensure proper protection before an attack takes place. This gets to the core of the issue, that proactive cybersecurity is an iterative process of improvement rather than the mere execution of a checklist.

The approach agencies take dictates how security technologies and critical processes are implemented and adapted over time. Being proactive is imperative to limiting risk and responding to threats.

Put another way, effective cyber risk management requires an architecture that enables planning two-three moves ahead (chess) and provides flexibility to adapt, rather than a culture of simply responding to threats as they occur (checkers).

Don’t forget about the people

Among public sector respondents, Cisco’s 2017 Annual Security Report found that two of the top five hurdles to adopting advanced cybersecurity technologies related to people – organizational culture/attitudes about security; and lack of training personnel.

Agencies must focus not only on physical IT modernization through the procurement process, but also weave cybersecurity into the fabric of the organizational culture. No matter how extensive an agency’s security protocols, they are useless in the absence of proper training, buy-in, and active use by the employees themselves.

Cybersecurity is thought of as a technology issue, but at its core people still execute the attacks and develop defenses. New technology is great, but new thinking and strategy is equally as important.

The game of security should be one of chess, not checkers. With possible internal and external weak points abundant, public sector agencies need to be strategic instead of reactive with their security, creating an ongoing process that fits into their organization’s broader digital plan. There’s a lot to think about with finding the right security technology, the right security procedure and onboarding the entire agency to understand how security should be viewed. However, if an agency has a security-first mindset that sees security as an enabler, then it will be able to embrace the best security strategy for its digital future.  

Will Ash, Cisco
Will Ash, Cisco

Will Ash is Senior Director of Security, U.S. Public Sector, for Cisco.

 

The InformationWeek community brings together IT practitioners and industry experts with IT advice, education, and opinions. We strive to highlight technology executives and subject matter experts and use their knowledge and experiences to help our audience of IT ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
2017 State of IT Report
In today's technology-driven world, "innovation" has become a basic expectation. IT leaders are tasked with making technical magic, improving customer experience, and boosting the bottom line -- yet often without any increase to the IT budget. How are organizations striking the balance between new initiatives and cost control? Download our report to learn about the biggest challenges and how savvy IT executives are overcoming them.
Video
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll