, ,

Transforming Cybersecurity Postures From Reactive to Proactive

The following post is an excerpt from GovLoop’s recent guide, The Top 30 Government Innovations of 2017

Modernizing IT infrastructure, including hardware and software, is top of mind for government agencies going into 2018. It’s a beast of a task — the federal government alone spends more than $80 billion on IT each year, and much of that goes toward operating and maintaining legacy systems.

Some have already started the modernization journey, but one of the biggest challenges agencies face is understanding what applications are running on their infrastructures, as well as the end-of-life and end-of-support dates for those software and hardware assets. End-of-life refers to when a product ends its useful life, and end-of-support refers to when a vendor stops servicing it.

To better understand what organizations can do to better track the current and future state of their IT assets, GovLoop spoke with Clark Campbell, Vice President of Federal at Flexera, a company that provides software and hardware lifecycle support and maintenance.

There are billions of dollars’ worth of hardware and software in use across all of government that is either obsolete or on the verge of no longer having support from vendors, which means no more software patches, maintenance, replacement parts or other upgrades. The concern is that older hardware and software assets are favorite targets of cybersecurity threats looking to gain entry into systems holding sensitive information. They also are difficult and expensive to maintain.

“Understanding what your end-of-life and end-of-support dates are — so you know what will happen a month from now, six months from now or a year from now — allows you to prioritize things,” Campbell said. “There are certain systems that have national security information or personally identifiable information, so it’s imperative that agencies know when those systems have reached end-of-life or end-of-support.”

If agencies don’t know these dates for their infrastructure, it’s harder to spot weaknesses. Too often, agencies are reactive rather than proactive when it comes to securing their IT systems, Campbell said. For example, although many agency cybersecurity administrators seek out information about system vulnerabilities according to National Institute of Standards and Technology guidelines, those findings often come too late and are incomplete.

Campbell stressed the need for agencies to understand the end-of-life of hardware and software products, and to prioritize cybersecurity and budgetary matters around those events.

“Every hardware and software vendor has those dates,” he said. “But commercial and federal organizations usually don’t have that information available to them and properly aligned to their existing infrastructure. That information drives cybersecurity and budgetary issues — they are directly related.”

The problem isn’t that public-sector organizations are lacking data, Campbell noted — in fact, they might be described more accurately as being overloaded with data. The challenge is that they lack actionable intelligence with which to set priorities and execute mitigation efforts. Agencies must find a way to draw a common operational picture from the troves of data at their disposal, and that’s easier said than done. But having a clear view of all end-of-life and end-of-support dates across the enterprise is one way to ensure that government systems are outfitted with needed security features and adequately supported by vendors and employees.

In today’s increasingly digital environment, agencies need to know what’s actually on their networks. Having this type of information on hand can empower agency leaders who want to optimize the performance of their IT assets or ensure they’ve installed current software patches. Those who don’t know what’s on the network can’t know how to what extent their agency is vulnerable to cyberthreats.

“Gathering that information, aggregating it, normalizing it, de-duplicating it and aligning it to a catalog of end-of-life data is not only difficult for the federal government,” Campbell said. “Commercial organizations struggle to do this, too. For this reason, Flexera provides this capability for financial, healthcare, federal and insurance institutions.”

Flexera specializes in providing extensive IT support information, and the company has acquired more than 60 federal sole-source awards as a result. Flexera’s solutions can help an agency replace aging hardware and software assets before they becomes obsolete and avoid IT purchases that will soon reach end-of-life or end-of-support status. They also help agencies enforce IT configuration and “shadow IT” policies.

Moving into 2018 and beyond, agencies should strive to better track and document end-of-life and end-of-support information in their quest for modernization. This level of visibility and actionable intelligence will enable agencies to better manage existing and future IT systems.

Read the full Top 30 Innovations of 2017 guide, here.

Leave a Comment

Leave a comment

Leave a Reply