Remember those driver’s education classes you took before you got your license as a teenager? One of the first, and most important, driving lessons was to always check your blind spots. If you failed to do so, the results could be catastrophic.
The same logic applies to government cybersecurity strategies. If you are not constantly scanning and watching for blind spots in your network, you are at risk of being attacked through one of these vulnerabilities. That’s why public-sector organizations need comprehensive, actionable data that can help them better understand where their biggest cyber blind spots are and how they can proactively address them.
To discuss how agencies can achieve a more holistic view of network vulnerabilities, GovLoop sat down with David Otto, CISSP, High Value Asset Program Manager for the Department of Homeland Security’s Federal Network Resilience, and Clark Campbell, Vice President of Public Sector at BDNA, in the recent online training “Is Your Agency Blind to Cyber Risks?”
The current cyber landscape poses a handful of challenges for agencies. Otto explained, “the challenge is understanding if we adequately value our assets and understand where our data is and if we are protecting it and have controls in place to do so.” To get to a place where agencies are effectively making cyberrisk assessments, they have to understand the value of their data.
Assessing data and determining which pieces are high value assets allows agencies to better understand the value of their data and prioritize protection of it. Otto explained that this process ultimately comes down to organization’s specific requirements. “While there is a baseline, each individual agency needs to develop means internally to prioritize systems and rank which assets are high value or not,” he said.
However, knowing where and what data needs to be protected is not enough when organizations are still employing legacy infrastructure. “When we have legacy mainframe systems processing hundreds of millions of records stretching back decades, the need to move off of or to protect those legacy systems is a large scale investment that a lot of government is not necessarily ready for,” Otto said. It is imperative that government invest in remedying the problem of legacy systems because outdated technology makes it easier for adversaries to infiltrate agencies and reduces the public’s confidence in the government’s ability to keep their data secure.
To overcome legacy issues and create a holistic view of their cyber landscape, agencies must integrate security into IT modernization plans. “Agencies can ensure security is built into modernization by being security conscious in all they do,” Campbell said. “For example, agencies should avoid purchasing infrastructure that is going to be end of life within a year.”
Otto added, “When trying to integrate security into IT modernization, don’t plan for the moonshot and do nothing until then. You need a step-by-step approach to protecting your system until you can get the moonshot.”
Looking forward, the experts both offered a few key things to focus on in the coming years. Otto emphasized “having robust hardware asset management, network management, software asset management, strong authentication, and effective malware defense will make it very hard for adversaries to infiltrate your networks.”
Campbell aptly concluded: “There is no silver bullet for cybersecurity. Do your best to understand your landscape, make use of what you already have, and choose vendors wisely.” By doing these things, you can become more aware of your cyber blind spots.