Innovation and security are two words you usually don’t hear in the same sentence — especially in government.
Often at odds are employees’ demands for innovative technologies to do their jobs better, faster and sometimes cheaper, and the need to ensure that government data is secure. That’s the dilemma agencies still face as they shift more of their operations to cloud environments.
At the same time, agencies are trying to move away from a compliance-based model of security where they simply run down a checklist, to one where they truly understand security implications and make risk-based decisions.
Even the Defense Department is gradually moving in this direction, but it takes time. “When DoD transfers risk, people [can] die,” said Leo Scanlon, Acting Division Director, Office of Information Security, Office of the Secretary, Health and Human Services. “In the civilian world, we have a little more latitude.”
Speaking at GovLoop’s recent event, The Power of Collaboration in Government, Scanlon shared how HHS is working not only internally but also with healthcare providers to securely adopt cloud solutions. “We have to take the technology built by companies and figure out ways to use them and help the consumer use it,” he said. “The hard part is not spending money. The hard part is learning to use the equipment and use it effectively.”
For companies that provide these cloud services to the government, one of the common complaints is the cost and time it takes to get their technologies authorized for use through the Federal Risk and Authorization Management Program (FedRAMP).
Scanlon explained that the single biggest driver of cost when it comes to authorizing a solution through FedRAMP is lack of security knowledge about the system.
“It’s about understanding the data you have,” said Alen Kirkorian, Lead of the Innovation, Strategy, and Security branch of the State Department’s Office of the Chief Architect. A lot of government systems end up getting classified as moderate-impact because the people responsible for them don’t truly understand what data is in that environment.
FedRAMP empowers agencies to understand the risk associated with where their data is going, said Ashley Mahan, FedRAMP Agency Evangelist. “What’s effective is when a culture is there from the top that has respect for cybersecurity.”
Security has to be more than complying with a check list at a particular point in time. It must be top of mind all the time. Ken Stavinoha, Technical Leader, FedRAMP and DoD Cloud at Cisco Systems put it this way: A certification is more like a diet, in that when you achieve the desired goal you tend to slip up. But an authorization, like those required by FedRAMP, is like a lifestyle. From the time organizations enter the process — and long after — they are still engaged with agency officials and the FedRAMP program office.
For agencies, the ongoing work is striking the balance between security and functionality. To ensure that agencies are empowering employees with the tools they need to do their jobs securely, GovLoop’s panel of IT experts offered some words of wisdom.
- “Always ask why?” Kirkorian said. “if someone says, ‘no,’ just keep asking why until you get to the root reason as to why they are being negative about something.”
- Stavinoha advised agencies to consider the risk versus the reward when making security decisions.
- “I’ve been that person who has said ‘no’ a lot in my career as a security professional,” Mahan said. “It is a really tough gig to be in to always go against the grain.” She suggested that IT professionals help employees understand the policies and help them understand the why behind decisions that are made. To foster those relationships, there must be a culture of security and a respect for cyber.
- If you’re doing proper risk management, it’s not “no.” It’s “yes, but,” Scanlon said. When people see that you’re really saying “yes” to their needs, they are willing to work with you on the “yes, but.”
This blog post is a recap of GovLoop’s recent event in partnership with Cisco, The Power of Collaboration in Government. For more recaps, click here.