This interview is an excerpt from our recent guide, The Future of Cybersecurity, which examines 15 trends transforming the way government safeguards information and technology.
What’s the point of cybersecurity? If you ask a security professional, she will likely say the goal is to prevent network intrusions and halt cyberattacks when they occur. But if you ask Scott Montgomery, Vice President & Chief Technical Strategist of Intel Security, a security solutions provider, you will get a very different answer.
“It’s not about information security for information security’s sake,” he said. Instead, cybersecurity’s purpose is to help an agency achieve its ultimate mission of serving citizens.
To illustrate what he was talking about, Montgomery related an unexpected conversation he had a with a Defense Department leader, after finding significant malware on their network. He was explaining the issue in technical terms to no avail. The agency leader wasn’t sure what action to take or why he should take it, even though Montgomery was explaining the technical fallout from the malware.
“[The agency head] said, ‘All I want from the network is for me to be able to fulfill my mission. I don’t care about the information security and privacy, specifically. I just want to be able to fulfill my mission,’” recalled Montgomery.
This conversation led Montgomery to re-evaluate the way he framed the topic of cybersecurity. “What I realized was, as information security practitioners, we’re not exposing non-technical leadership to the problem in language that they understand,” he said. “Security practitioners have to start changing that language.”
This new conversation is what Montgomery calls an outcomes-based approach to security. Rather than focusing on technical solutions to technical problems, he advocates framing security concerns within the broader picture of mission attainment.
In that same conversation with the DoD leader, Montgomery asked, “Do you use this network and the data on this network to make decisions to support your mission? What if the adversary altered that data? Will that allow you to fulfill your mission cleanly?”
Asking those outcomes-focused questions got the agency leader’s attention and also helped inform how they should respond to the network vulnerabilities. Montgomery said this approach should be applied to every cybersecurity decision, from technology to training.
When deploying cybersecurity tools, consider how the management of those tools will impact your IT professional’s ability to support the agency mission. “If we have the same administrator responsible for a variety of different activities, then making those activities as efficient as possible is the first, best task that the organization can fulfill,” said Montgomery.
One way to achieve that goal is to provide an integrated security solution, because managing multiple solutions in disparate settings requires more time and training. “Say you have eight different vendors on a given server. In order to be effective, that means you’re spending eight times the [routine] amount of training,” said Montgomery. “If each training class is for a week, you are spending two months of the year away from the console – away from mission – training for those disparate functions. And then you’re spending some portion of your workday looking at each one of those consoles.”
“It’s just bad math,” Montgomery continued “These same employees have non-security tasks – mission enablement tasks – that they have to fulfill. That’s where they should be spending their time.”
Instead, cybersecurity strategies should focus on consolidating and simplifying IT management tasks so that more time can be spent on effectively pursuing mission goals. That’s what Intel’s integrated security suite supports. “Our responsibility is to make operations and analysis as painless as possible and as least time consuming as possible,” Montgomery said.
At the same time, Montgomery said security solutions should create an IT architecture that fully supports the mission’s information goals. He mentioned the Internet of Things (IoT) as one mission-enhancing capability that must be accommodated by cybersecurity tools.
“Everybody’s first step with respect to IoT is to say, ‘We’re going to segment it away and have it all on its own network,’” he said. “But people are going to find you can’t do that because you actually want the data that comes back from those gadgets in the production network.” Instead, Intel creates solutions that can protect that data, as well as other confidential data, within the same network and technology suite.
This integrated approach that focuses on capabilities and outcomes is exactly what’s needed to ensure that security efforts don’t derail government missions. Integrated solutions ensure that IT professionals manage fewer consoles, require less training, and have a better view of the organization’s cyber infrastructure. Ultimately, it leads to better cybersecurity, which in turn leads to a better agency able to fulfill its mission.