You asked, we answered. I always love at our GovLoop events when we have a Q&A with our audience. Our government attendees are typically never shy about asking questions, and it’s a great way to collaborate with peers. I pulled out three questions from our Q&A during our cybersecurity event this week.
Andy Bonillo, Director of Cyber Security and Public Safety, Verizon’s Public Policy, Law and Security, and Derrick Dickey, Identity and Access Management Specialist, Dell Software, were on hand to answer the audience’s questions.
Question 1: We’re onsite for a lot of the large contractors, I may be there 3, 6, 9 months – but I may have access to everything because I am the proposal manager. Since I am monitoring 9-10 people, so I can’t see what everyone is doing, how do I make sure the system is secure? So I know as a manager that nothing is leaving?
Dickey: The environment that I work in, here’s one of the tricks that we do to work around that - you manage 10-15 people, and you know exactly what those 10-15 people are doing. As the IT admin, I really have no idea, John Doe just started on 90 day contract and needs access, I say ok, thank you - nice to meet you. So I start giving him access. In reality, he needs access to four or five key documents or resources. But as an IT admin, I would never know that.
So what we do at Dell is that we take away that from the IT, and provide a great business process and give it to you. You know exactly what your employees need and must have access to, so you create the policy, rule based. And if you think this sounds difficult, I promise you it's easy.
You can’t stop a person from doing malicious acts, but you can put some processes in place to mitigate.
Question 2: How does the ‘ internet of things’ play into cyber?
Bonillo: We certainly play a big part in enabling the internet of things with our products. As I look at our network it is still predominantly fiber; if you look at wireless, cell coverage, it all still backs up to the physical infrastructure. Certainly the farther that IT gets away from the physical infrastructure, the harder it is to protect. You’re going to have things within your home that are internet-enabled, I think you’re going to see more data and video being used, the ability to serve underprivileged areas through [data and video], and enable those to learn faster in different areas in the world that weren’t able to have access.
Now, tying that to your day-to-day life and critical infrastructure data systems, we can use the internet of things to enable machine to machine, to provide a better way of life. The security of those devices cannot become out of sequence with security efforts, and we have to have a way to track and manage those [IP-enabled devices].
Question 3: What is the greatest need in cybersecurity in terms of people? It’s an IT conversation, but doesn’t the conversation goes beyond IT?
Bonillo: I think it’s a mentality and a culture. We have to get to a point where we need to unlock the data that is within our organizations, and we currently sit in silos, many corporations data sit in silos, but we need the ability to sit above those silos and power the data for mission. We talk a lot about people, process and technology and that ties into a culture, a risk culture, a culture of commitment to security, commitment to understanding, and you as an organization know what your risk tolerances are, and that’s a big part.
Dickey provided an example from his professional experience that helped to show how an organization could change its cyber culture. A VP of a department was sent a phishing email that asked him to click a link that read, "Click here to increase your email storage from 8 to 10 MB." Once he clicked, an additional message was sent notifying that his inbox would be deleted. Immediately the VP called IT and said do not delete my email. Once they realized it was an error and a phishing attack, IT was able to stop any damage from being done - and they turned this incident into a learning opportunity.
The IT department started to send out emails intentionally that looked suspicious, and tracked which employees reported the emails. Employees who were most vigilant were rewarded at the end of the year, and this program helped to build a culture that made security a priority. This story shows how important it is to train people to know what to look for, and that anyone is a potential victim.
These are just three of the dozens of great questions that were asked at our event. Hopefully you’ll be able to join us at an upcoming event soon, and be able to learn and connect with your peers. Armed with new knowledge and a community to back you, you’ll quickly become a change agent within your agency.
GovLoop offers many resources on cybersecurity. We know it’s a complex world, but here’s a few resources to help you get smart and learn from your peers. For more coverage of the sessions at GovLoop's recent cybersecurity event, click here, and download GovLoop's recent Cybersecurity Guide here.