Because many agencies rely on tools that don’t meet current needs, the first step to operationalizing security is actually not to start implementing changes for the future. Instead, take the time to assess the current threat landscape of your agency related directly to your mission and its associated important assets, as well as the tools and processes you have in place to address those threats.
This assessment is a crucial first step to starting any cybersecurity strategy, because it gets everyone on the same page about what cyber vulnerabilities, threats and technologies look like today. “What we don’t want to see is people operationalizing their security based on the threats and technologies from 10 years ago, since this is a very dynamic environment.” Tony Cole, Vice President and Global Government Chief Technology Officer at FireEyesaid.
At the same time, you don’t want to install new technologies that are incompatible with your current infrastructure. With many agencies still not working on updated operating systems, Cole said it’s common to see an agency install a tool that actually can’t be supported by an outdated system. Additionally, adding systems without replacing or integrating them with older tools could create a more complex, less effective security system.
Avoid these issues by executing a holistic security program assessment that examines both the threats and tools that challenge your agency’s cybersecurity.
From a threat perspective, a security program assessment should consider a number of factors that define a cyberthreat, including:
- Who is trying to compromise your organization;
- What they are after in your organization;
- Why they are trying to compromise you; and
- How they are trying to attack you.
Part of that assessment might include examining similar agencies that have already assessed their threat terrain. For instance, FireEye tracks more than 16,000 threat actors across continents to determine which attacks are most likely to be coming your way in the future.
However, your assessment should go deeper to examine your own network with advanced threat-detection capabilities. Most internal assessments will reveal cyberattacks that have already infiltrated – or at least targeted – agency systems, Cole said. Use those discovered attacks to guide your understanding of threats to your organization.
“Then you can start to understand that adversary and what you need to do to create the right architecture, policies and processes to thwart those attackers,” Cole said.
Once you have a keen understanding of your adversary, take your assessment to the next level by considering your security mechanisms. Investigate your infrastructure and processes to consider:
- Are your current tools and processes effectively rebuffing cyberattacks?
- Can those tools consume contextual threat intelligence about the adversaries?
- Which assets are the most exposed to threats?
- Are your employees capable of countering attacks in real time?
- What additional technologies should be acquired to counter advanced attacks?
- If your organization is breached, do you have a plan in place to minimize damage?
In addition to considering what resources you have, your assessment should consider effective resource allocation. Keeping in mind which assets are most likely to be targeted by cyberattacks, leaders can determine if security tools are appropriately distributed – rather than adding layers of protection to low-priority assets that are unlikely to be targeted.
“The goal is to help agencies understand what they should be focused on, rather than trying to protect everything equally when they don’t have the resources to do that,” Cole said.
This assessment is the first guiding step to operationalizing security in government. But especially for agencies that are behind in their cybersecurity initiatives, this holistic assessment can be a technical and procedural challenge. It requires a keen understanding of both the external threat landscape and the agency’s specific environment. Moreover, the assessment should be executed without organizational biases.
For those reasons, it may be necessary to seek external support. “The one thing that is unbelievably beneficial is to actually have somebody who has no preconceived notions about your environment,” said Cole. “Have someone come in and look at your environment to figure out what you’re doing right and what you’re doing wrong, based on best practices around the globe.”
This external analysis is especially useful for organizations that have been unable to detect threats in their networks already. Companies that specialize in threat detection, like FireEye, have the tools and expertise to identify many sophisticated attacks that agencies simply aren’t capable of finding with outdated systems. In fact, 47 percent of cyberattack victims learn they are breached from a third party.
Once your agency has a baseline understanding of the threats it faces, as well as the defenses it lacks to confront them, you can begin to build a strategy that operationalizes security.
This post is an excerpt from our recent industry perspective, Operationalized Security for a Safer Government.