Information security for government agencies is a hot topic these days, and it needs to be confronted in a concerted, specific manner. There are a few factors at hand in the question of information security. Inability to keep abreast of threats, poor risk management understanding, inadequate funding for security initiatives and a shortage of qualified professionals top the list. Considering that information security does not have a one size fits all solution, what are ways to best approach outfitting agencies across the nation?
At GovLoop’s Tuesday event, Evolving Tactics to Combat the Cyber Threat, Keith Young, Enterprise Information Security Officer at Montgomery County in Maryland, described how to best optimize information security within government agencies. He summarized optimizing the selection of information security as “partnerships, collaboration and outsourcing” for agencies.
Young began by setting the stage with his experience at his department in Montgomery County. “Montgomery County has approximately 1.1 million citizens within 507 square miles, $2. billion in revenue yearly, and about ten thousand employees to manage,” he said. “With the jail system, emergency calls, police and fire departments all operating within cybersecurity systems, there is a great deal of complex sensitive data that could kill someone should the information be leaked.” With over $175 million in credit card transactions within the county, Young faced a stark reality: information breaches were a real risk.
“Here’s the reality: if 14-year-olds can break into computer systems, there’s an issue. We need to look into getting back to the basics.” Speaking to an instance of hacking his daughter was involved with at a young age, he shared that agencies are susceptible to information security attacks by those they might least expect - and without starting cyber security protection from the basics, agencies left themselves wide open.
Young detailed that several different tactics can be utilized for information security. A completely seamless information security system would pull from the following:
- Utilizing the cloud for information security
Contrary to popular belief, 100% cloud-based security systems aren’t, as Young stated, “security risks.” In explaining further, he noted, “major cloud providers that sell to government do security better than you do.” The cloud does more than just information security efficiently - it also provides cost savings, enabling agencies to shift resources to more important initiatives. Considering that cloud providers are not yet fully mature, agencies have the ability to get into the cloud game while costs are cheap. Costs are slated to skyrocket once liabilities are more mature, so Young urged agencies to seriously consider the option.
- Examining how peers use technical resources should be used to improve
Young shared that specific to incident responses, cybersecurity can be improved specifically by working with law enforcement both on federal and local levels. Although that used to be a one-way street, it’s now a sustainable way to find “more about what your peers are doing, and understand your agency’s areas of improvement in the cybersecurity space.” With an increased focus on “cyber hygiene,” most agencies are going back to the basics.
- Bring on cybersecurity experts from your local universities
Surprisingly, Young pushed agencies to bring on young, qualified candidates from local universities “who possess the credentials and experience, but lack the job experience that can give them jobs in cybersecurity.” He stressed the tremendous resources found in universities in the form of full-time internships, and noted that his department had a wait-list of interested candidates because of the interest. “Teach your children well,” he noted, “because they are the future of cybersecurity for our agencies across the nation.”
So, what’s next? Considering the massive consumerization of information technology, Young warned that there was a reality that agency employees were trying to accomplish their jobs in the easiest way possible. So without monitoring that potential threat, employees could be utilizing insecure file management systems that the organization wasn’t aware of.
On top of that, customer and citizen engagement meant that there were areas of concern with different social media platforms. Pluggable apps for big data need to have specific purposeful initiatives, tracking where the data was going.
Ultimately, cyber information security is not a topic to be taken lightly for agencies both locally and federally. The biggest mistake an agency can make is to take a one-size-fits-all solution, rather than doing due diligence and pursuing a system that works best for the agency. The state of security readiness across the nation must be considered carefully, because the return on investment is high. Because a hack like OPM happens if an agency isn’t ready - and Young showed exactly how to make sure something like that had an exponentially lower possibility of happening.