Cyber threats in recent years have become more frequent and creative, and government cybersecurity teams often struggle to keep pace. Staffing can be a challenge, as can budget shortfalls and outdated technology. But one tool can help: automation.
During Wednesday’s online training entitled “Smarter, Not Harder: Implementing an Automated Approach to Cybersecurity,” GovLoop heard from four government and industry experts, who discussed today’s cybersecurity roadblocks, the human element of cyber protection, and speakers’ hopes for the future.
As Beau Houser, Chief Information Security Officer in the U.S. Census Bureau’s Office of the Chief Information Officer, made clear early on, “Cyber is hard on the best day. If it’s not hard, you’re not doing it right.”
While many, if not most, federal agencies are moving to the cloud to some degree, it’s sometimes impossible to fully abandon on-premises systems, and that can complicate an agency’s cybersecurity strategy. Russell Marsh, the National Nuclear Security Administration’s Cyber Operations Director, said his agency has that dilemma. “The biggest challenge is trying to combine the picture between two different environments,” he explained.
Robert Wood, Chief Information Security Officer at the Centers for Medicare and Medicaid Services, said his team has migrated approximately 95% of its cybersecurity footprint to the cloud. He said the challenge now is “rearchitecting our entire data plane away from pocketed silos of data storage and consumption.”
But as technology continues to evolve, agencies might have trouble keeping their employees well-enough trained, Houser said.
What they’re working on is certainly ambitious. Andrew Gallant, Red Hat’s Automation Solution Specialist, said automation today is about “string[ing] together the ecosystem into a unified platform so you can see everything that’s going on in your environment.”
The Human Factor
Both Marsh and Houser highlighted the need to understand users’ mindsets as well as those of our cyber enemies. Gallant said people can be extremely creative when trying to bypass security guardrails and that automation can help agencies respond more quickly and agilely when they do.
But it’s worth asking security teams, Wood mused, why some user lapses — such as creating weak passwords — are even possible. He was sympathetic to users, though: “You’ve got to be really careful and really intentional about not blaming the user community.”
Looking forward, Marsh said he “would love for us to get to the point where automation is the force multiplier, where the noise on the internet is able to be handled with a minimum amount of human interaction.” He believes agencies probably can’t hire enough qualified people to meet the demand.
Gallant also spoke about the power of automation as a force multiplier, and about agencies doing more with less and liberating their staff to focus on high-level work.
Houser envisions agencies transitioning even more of their IT management to the cloud, and believes that employees will need more sophisticated skill sets because automation essentially will usurp low-level tasks. Improved collaboration likewise would be helpful. “We would get a lot of bang for our buck,” he commented, “if we could share information more readily at machine speed.”
Wood looks forward to dismantling “Conway’s Law” — the idea that an organization designs systems that mirror the organization itself — as it relates to CMS. He wants to see what he called a “democratic roundup effort,” in which training and an inclusive process allow his entire workforce to “actively participate in automating things that are relevant to them.”
And during the conversation, speakers recognized that security teams have a unique role in the larger technology landscape.
“The thing with cybersecurity,” said Houser, “is you have an enemy. That’s basically not the case with any other IT field.”
This online training brought to you by: