For 25 years, the Government Accountability Office (GAO) has labeled cybersecurity a high risk. But a lot has changed since it made the list in 1997.
Today, cybersecurity is less about system- and enterprise-level protection and more about security “at the point of data,” said Sterling Wilson, Senior Business Development Manager of Public Sector at Rubrik, a data management firm.
Historically, cybersecurity guidelines that the National Institute of Standards and Technology (NIST) released, for example, focused on protecting systems and enterprises.
“Now, we’re at a state where information flows in and out of systems and organizations, and it’s all about protecting that information,” said Vicky Pillitteri, Manager of NIST’s Security Engineering and Risk Management Group.
At GovLoop’s online training Wednesday, Wilson, Pilletteri and Jennifer Franks, GAO’s Director of Information Technology and Cybersecurity, spoke about how agencies can secure their information and data in a landscape where cyberthreats only continue to grow.
Robust Data Protection Is About Risk Management
Unfortunately, you can’t just follow three best practices and have robust cybersecurity, Pillitteri said. Every organization has diverse systems, data sets and missions that need to be protected differently. For instance, NIST’s public research data will be secured differently from the Defense Department’s logistics information. It comes down to risk management.
Risk management identifies, evaluates and responds to potential risks to minimize harmful effects to an agency. NIST provides a risk management framework that your agency can use and tailor, as well as how-to guides on ensuring data integrity.
Data Is the Target for Cyberthreat Actors
Every agency may have different and disparate data sets, but “the song remains the same” — threat actors are after your data. Data is no longer just the input that produces an output or asset; it is the asset itself. And because of this, agencies must focus their cybersecurity efforts on data. You must be able to know where your data is, have backup and recovery plans and, importantly, ensure you don’t put malware back into the environment after a cyber incident. The integrity of data, or your ability to trust it, will become increasingly important, Wilson said.
Be Attentive in Your Security Awareness Training
All government employees should take cybersecurity training, whatever your role. And if you’re a federal employee, you’re required to according to the Federal Information Security Management Act (FISMA).
If you haven’t taken your annual awareness training yet, complete it more attentively and intentionally this time. There is data you have a responsibility to protect, Franks said. “We have to do our part to help our organizations continue to be cybersmart,” Franks added.
This online training was brought to you by: