Cybersecurity continues to uphold its status as a government priority, and rightfully so, considering the vast amount of sensitive data that passes through the public sector on a daily basis. Government personnel and agencies regularly point to cybersecurity as their biggest point of focus due to how difficult it is to maintain with threats coming in from all directions and the IT landscape constantly changing.
One of the challenges to keeping government secure comes from how scattered cybersecurity tools, services and governance is. To combat this issue, a concerted effort is being made to consolidate these pieces of the cybersecurity puzzle to patch up holes and make spending more efficient.
This was the focus of the session “Cyber Consolidation: Simplifying the Complex” at Symantec’s 2018 Government Symposium, “Cyber Redefined: Automated, Innovative, Integrative.” The panel featured George Jakabcin, CIO, Treasury Inspector General for Tax Administration; Tony Sager, Senior Vice President and Chief Evangelist, Center for Internet Security; and Francisco Salguero, Deputy CIO, Department of Agriculture.
When asked about the challenges that agencies face with cybersecurity, Jakabcin made it clear that an overabundance of tools was right at the top of the list.
“One of the biggest challenges we have is the plethora of tools made available to us,” Jakabcin said. “You want to have a multidimensional environment, and that’s great until you get to the point that you realize the typical user [doesn’t use the entire system.]”
He explained the importance of being aware of how much of the tools are actually used, a point backed up by Sager.
“I have a habit of asking our IT and security vendors how much we actually use of the programs,” Sager said. Jakabcin explained that the typical user only uses about 10 percent of a product, a superuser uses 10 to 15 percent and even a developer only uses about 40 percent.
“How much do we utilize?” Jakabcin said. “If we aren’t using a certain percentage, can that functionality be absorbed by another tool that we have in our suite?”
Taking steps toward consolidation reveals a completely new issue, however. Many agencies aren’t entirely sure how to go about it in the most efficient way or even how to angle their thought process when gearing up for it.
“USDA is doing a lot of consolidation,” Salguero said. “We’re taking what we’ve done from the IT side of things and taking it into cybersecurity, knowing that security has to be woven into everything we do. We’re consolidating carefully, making sure that we’re doing consolidation not for its own sake but for the right things.”
Sager agreed that the approach to consolidation has to be a thoughtful one. Understanding the problem that you’re trying to solve and making sure that you have the tools to solve it are important. He also warned about the risk of overestimating and overspending on certain aspects. He suggested being sure of what is needed so that more resources are available for other issues.
“We’re moving from a world of technical security decisions to economic and social decisions,” Sager said. “No company should bankrupt themselves for security. Understand the business problem you’re trying to solve and understand the outcomes.”
Jakabcin provided ideas for how to follow through with those tips.
“We have to start at the end and ask, ‘what’s the outcome?’” he said. “’What are we trying t accomplish from that? How do we consolidate?’ Sometimes, it’s just sheer force of will. Focusing on the outcome is looking at the data and determining how sensitive a particular piece of information is and how much investment should be put into protecting it.”
Sheila Jordan, CIO of Symantec and moderator of the discussion, agreed, saying that not all data is equal and should be treated appropriately across an organization. “Not only is consolidation cost savings, but reducing the risk in your environment,” she added.
As with many other IT and cybersecurity modernization efforts in government, there will always be risks to consider, pointed out by Sager.
“There’s a tradeoff between pulling everything together,” he said, “and the bad side is making an easier target for the bad guy because it’s consolidated.”
Despite this additional consideration, he still voiced his support for consolidation in cybersecurity as a tool for patching holes and reducing costs.
“I’ve always come down on the consolidation side as a positive.”