Management

Cybersecurity and the Government CIO

Cracking the code on implementing strong cybersecurity programs places the onus of leadership on agencies' CIO teams.

Natalie Givans is a vice president at Booz Allen Hamilton, leading the firm’s assurance and resilience business, which includes cybersecurity and mission assurance, across all market segments. She has more than 25 years of experience in information and network security and system security engineering. Bob Post is a vice president and member of Booz Allen’s assurance and resilience team and has over 25 years of experience in the fields of security and preparedness.

It is a fact of life for government CIOs that their cyber assets will always be at risk.

The drive to make government more accessible to citizens, drive down costs and improve efficiencies means that cyber assets are more critical to our everyday lives. Yet, even as our reliance on these assets grows, the infrastructure remains vulnerable, and threats have become more prevalent and sophisticated. Whether it is an unwitting user who inadvertently causes damage or a skilled, determined attacker, these threats are real.

All too often — because of organizational, cultural, economic, technical and operational challenges — CIOs lose the battle to secure their cyber assets. They end up implementing point solutions that remedy only the latest vulnerability, without having the authority or resources to address systemic issues that prevent them from having a secure and resilient infrastructure on which to conduct mission-critical functions, both for their organization’s administrative missions and their stakeholders’ business missions.

For CIOs trying to build strong, effective cybersecurity and integrate security and privacy in support of mission and stakeholders, the roadblocks lie in four major areas: awareness and education, governance and decision rights, risk management in the context of cost and security, and the resilience to recover after inevitable attacks. Addressing each requires a shift — in some cases a major shift — in the way agencies approach cybersecurity, at both the strategic and tactical levels.

Transforming Awareness into Action

Many CIOs have capitalized on the growing focus on cybersecurity to make positive changes, but this focus also shines a spotlight on some deep-seated challenges that CIOs will continue to face within their agencies. Specifically, while it is encouraging that awareness about cybersecurity is increasing, it is critical for CIOs to transform awareness into action.

Across agencies, CIOs must ask themselves three questions:

1) Who is on my network, and what are they doing?

2) Are legitimate users of my cyber assets aware of the impact of their actions?

3) How can I satisfy the organization’s growing administrative and mission needs securely?

To answer the questions about network health and gaps in network defense, CIOs need to work with their staffs to identify the comprehensive technical needs of the agency. To find a true end-to-end security solution, questions should focus on: what types of detection and forensic capabilities the mission requires; how the agency can minimize gaps and reduce costly redundancies; and how the agency can ensure that the right information is available to the right people.

Next, CIOs need to determine what cultural changes need to be made in their agencies. This may be the most challenging task the CIO faces. If there is a low level of awareness of cybersecurity needs, then education and awareness training will be required for every individual in an organization. Cybersecurity is most effective when it is seen as an enabler and as everyone’s responsibility. To accomplish this, the CIO must be aware of key work processes and how a secure and resilient IT infrastructure supports them. CIOs need to be able to effectively communicate network defense needs to the rest of the “C suite” and help stakeholders — actually, everyone in the organization — understand the role each plays in ensuring a secure and reliable operational environment. This can’t be done effectively without considering the next three areas: governance, risk management and resilience.

Governance

Where the cybersecurity function resides within an organization and what level of authority it has over networks, data and applications across the enterprise has a large impact on its effectiveness. The operating model of the organization (command and control versus federated), the culture of the organization and the mission of the organization all affect where the function should lie. Effective cybersecurity takes into account not only threats and vulnerabilities, but also the organization’s processes and ultimately the missions it supports. In working with CIOs across Defense, national security and civilian agencies and commercial organizations, we’ve found that if the security function is not sensitive to these variables and fully integrated with an organization’s processes and missions, it will be ineffective.

Wherever the function lies, the top individual must have sufficient visibility into what he or she is responsible for, have the authority to enforce policy and understand the organization’s mission. Additionally, senior management across the organization (in headquarters, bureaus and divisions) must recognize how secure and resilient systems enable them to perform their missions.

In organizations that are decentralized or federated, the CIO’s ability to communicate and influence when he or she can’t “command” is essential. We have found the use of tabletop exercises especially effective at helping senior leaders gain a greater understanding in this area because it brings the major stakeholders of the organization (and sometimes its constituents, customers and suppliers) together around one or more specific scenarios. As the stakeholders work through the scenarios, they discover important insights into governance, decision rights and communication challenges, and they can test alternative solutions.

True Cost of Cybersecurity

CIOs must continually decide how to best spend their security dollars. But very seldom can they see how much risk is reduced by each dollar. For instance, when faced with tight budgets, should the CIO spend security dollars on a technical solution, or implement an enhanced education, training and awareness program?

In most organizations, the answers are not immediately obvious and rely on guesswork rather than metrics. As they gain visibility into the enterprise and get clear, repeatable metrics, CIOs are in a better position to answer these questions and deploy resources where they will have the greatest impact. Organizations need to take a hard look at where their cybersecurity dollars are being spent and what the risk-related results are for their mission when they decide how dollars are allocated to the security and IT portfolio.

Ensuring Resilience

No security approach is 100 percent foolproof. In dynamic environments, new vulnerabilities are introduced daily, threats become more sophisticated and successful, and the human element remains a weak link. Even so, we cling to the belief that we can protect our cyber assets against any and all events.

CIOs must accept that bad things do happen — and when they happen, the focus must be on how to respond and reconstitute mission-critical functions. Designing resilience into the cyber enterprise is crucial. Incident response capabilities combined with backups of critical data and applications are key to operating safely in a hostile environment.

Preparing for the Future

Government leaps in technology are both exciting and challenging. To ensure that agencies appropriately integrate cybersecurity into both the organization and mission, CIOs should do the following:

1. Develop a comprehensive cybersecurity education, training and awareness program within their organization. This program should include modules for senior executives, program officials, application developers, system administrators and end users. Everyone should be aware of the impact their actions and decisions have on the security and resilience of the enterprise’s infrastructure.

2. Collaborate with other “C-suite” executives within the organization, as well as program units, to ensure an effective cybersecurity governance structure is in place that meets the needs of the enterprise. Security should be seen as an enabler of mission-critical functions and treated as such. Gone are the days when security can be considered solely an IT function.

3. Implement a comprehensive, risk-based security strategy in which return on investment is shown to reduce risk.

4. Communicate to the organization that no security strategy is 100 percent effective, but that the mission is paramount and must be assured. Therefore, resilience must be a key element of the cybersecurity strategy.