The Government Accountability Office first listed federal cybersecurity as a high-risk issue in 1990, and it has remained on the list for nearly three decades. So why is it still so difficult to protect information systems and the data they contain?
Part of the reason is that cybersecurity threats to every enterprise are evolving. Lone hackers have been replaced by highly motivated, well-resourced organizations supported by a black market that commercializes the latest exploits, offers botnets as commodities and provides a marketplace for stolen data. However, the primary reason that defense is so difficult can be summed up in one word: complexity.
The architecture of most government IT enterprises is too complex. Networks have been knitted together without an overall plan or goal, with new technology being added while legacy technology remains in place. The result is that senior leaders often have poor visibility into the enterprise and an inadequate understanding of the systems they are responsible for securing and how they interact. According to Ponemon’s 2016 Cost of Cyber Crime Study, 81 percent of cybersecurity budgets are spent on 10 to 25 percent of vulnerabilities, leaving a large window of opportunity for adversaries.
Modernizing and rationalizing the IT infrastructure would provide a higher return on investment. Security vendors often simply respond with new products and tools to address each cyber threat as it emerges, and government responds by buying the newest products. This produces still more complexity, with too many tools from too many vendors that cannot be effectively implemented, monitored and maintained.
“Most organizations have over sixty-six security products that they are using to protect their environment,” Earl Matthews, Vice President, Enterprise Security Systems Hewlett Packard Enterprise Services, U.S. Public Sector explained. “Industry and organizations chase the next shiny object instead of forming a comprehensive roadmap or security plan. As a result, you have so many products, you don’t have enough training to go with the people tasked with implementing these tools. This leads to too many privileged users having access to the network.”
With no security roadmap to guide federal administrators, new products bought by agencies sometimes remain in the box, unused. Furthermore, agencies often do not have the skilled workforce to deploy these tools nor the time or budget for training so that they can be effectively used. Resources continue to be used for putting out fires rather than learning how to prevent them.
A Risk-Based Focus
Cybersecurity effort goes primarily into protecting the enterprise from the outside in — blocking attacks as they come into the systems from the outside. While there is logic to this approach, it ultimately is a losing strategy in such complex environments that can leave the most valuable assets vulnerable. A risk-based program focused on the most valuable and vulnerable assets would use finite resources to defend those assets that are most likely to be targeted and whose compromise would have the greatest impact.
“We need to take a different approach — look at it from the inside out,” Matthews said. “When you’re looking at cybersecurity from the outside in, then you’re just trying to block. But if you approach it from the inside out, then you can think about it from the angle of, what are my most critical apps and data? So let’s look at a risk- based strategy instead of a compliance-based one.”
Most successful security breaches today target the application layer, and the intruders’ ultimate goal is the data.