Data breach at your agency? Better report it and get it over with

Agency tech staffs must, by law and regulation, report cybersecurity breaches. But some industry surveys show that organizations do not always report breaches, ...

Agency tech staffs must, by law and regulation, report cybersecurity breaches. But some industry surveys show that organizations do not always report breaches, because who wants their own head to roll? For some insight on the whole notion of compliance,  Federal Drive with Tom Temin spoke with Igor Volovich, the Vice President for Compliance Strategy at Qmulos.

Interview Transcript: 

Tom Temin There have been surveys out by some of the companies and I think Bitdefender that showed that a large portion of IT executives feel that they are urged by their organizations to not report security breaches and just kind of bury them. What’s your sense of whether this even happens in the federal sector or not?

Igor Volovich Well, I think we’ve seen some of this recently. We saw the infamous case of Rocketdyne Aerojet, that actually had a whistleblower come out and say, well, we were actually told to conceal the fact that we’re not compliant. And for a number of years when they were executing out of their federal contract, they were claiming to be compliant with cybersecurity regulations and standards, and they weren’t right. So the rockets flew the, they the company got paid and yet they were basically not performing on their federal contract and the whistleblower exposed it. So there are a couple of ways that this comes to light, typically. Yes. Whistle blowers. And the other one, well, you got breached. So, yes, you can conceal one breach, but not all of them. And as environment get breached all the time, it’s unlikely that you can keep that game up forever.

Tom Temin Because in the great OPM breach of, what probably ten years ago, the director of the agency lost her job over that. And now you hear increasing calls just generally that whoever is responsible for letting a breach happen, then they should lose their job. So there’s a lot of disincentive for people that may not have a profit motive. And then for companies, contractors, they have the motivation to conceal that from the government because of the costs that it would entail.

Igor Volovich That’s absolutely right. So the personal accountability is becoming more and more apparent and transparent. We’ve seen a lot of effort by federal agencies to enforce the rules a lot better. We’ve seen regulators come to understand cybersecurity a lot better. And today we don’t have a common model for enforcing things like privacy. We don’t have a federal privacy regulation, for instance. So it’s kind of a hodgepodge, a patchwork of state based regulations. But again, we’re starting to see the light on that. We’re starting to see a lot more understanding of how things work. So concealing things in the complexity of cybersecurity is becoming less and less possible. So this idea of plausible deniability, well oh shucks, we just didn’t know, it’s too complex, we have no idea that’s going away day by day, Right? We’re seeing a lot of that going out the window and the agencies being asked and agency leadership being asked to answer these questions. We’ve seen that in Congress. We’ve seen that across the boundary over to the private industry. Right. Anybody who’s doing federal contracts are under the obligation to report continuously and consistently and with integrity. So the ethics of being able to conceal. Can you conceal? Yes, you still can, of course. If anybody wants to do malfeasance, they certainly can. Right. But the kind of transparency that we’re seeing being enforced and being asked for by the federal government and by the agencies themselves within their own sphere of influence, it’s becoming more and more prevalent.

Tom Temin Should an organization, though, fire the top person or the person responsible necessarily, If all of the accepted and recommended controls were in place, all of the patching was up to date, they had a program for continuous diagnostics and mitigation, all of these things? CMMC is coming down the road, in theory anyway, starting soon. Is that perhaps the disincentive that the fact that there has to be a head on a pike for something to happen rather than an honest, well, let’s see how we can fix this?

Igor Volovich Well, I think that’s a perfect question, Tom, and we’ve had this historical model of accountability and I’m putting accountibility in big air quotes. Right. You got breached, the top person gets fired. And you pretty quickly, you run out of talented folks who want to take the job. And right now, we actually have a shortage of willing CISOs who want to take the job, especially in the federal space. Right. And it’s a tough job to begin with, attracting the right kind of talent when you have that Damocles sword hanging over your head. A lot of things you don’t control. There’s only so much you can influence with an environment. You have your governance, you have governance, you have your models of exerting influence over the outcomes, but ultimately, there’s only so much you can do. And also, let’s understand this most federal environments are very complex. They operate in a constant state of change, like any I.T. environments. But also you have these mandates. We have to go to the cloud. For what reason? Well, because we have to be in the cloud, right. Some of these things don’t necessarily make sense from a quote unquote, business perspective.

Tom Temin That’s real heresy. You’re speaking now.

Igor Volovich Well, I mean, look, we’re seeing a lot of folks waking up to the fact that we’ve been pushing for the cloud over a decade now, and some folks are not getting the ROI that they were expecting. Right. Some of them are kind of pulling back and saying, look, maybe the fact that we waited and we’re kind of these Luddites of cloud adoption is actually a benefit to us now because we have less change, we have less shift, we have fewer things that we have to worry about. Now everybody’s got some cloud, it got some hybrid, everybody’s got some level of complexity. And so what I’ve come to call a persistent level of a fog of war. There’s a level of unawareness that is always going to persist. Now for some environments, they set that bar at maybe 10%. They say, okay, we don’t know 10% about our environment. That’s okay. Some say we just have to accept 30% and that’s our baseline. So there’s always something you don’t know. Now the danger is that that is the place where the bad things are going to happen, right? That’s where your major noncompliance is going to happen. That’s what that field control is going to expose you and expose the entire environment.

Tom Temin We are speaking with Igor Volovich, vice president for compliance strategy at Qmulos. And agencies management and the IT staff and plus everybody else, if you add up all of the responsibilities, compliance is a really big word these days. Not just in cyber but cyber joined by so many other compliance requirements on contractors, on agencies, on companies. The companies now have compliance departments and vice presidents of compliance. It seems like there should be a way to automate all of this so that someone is not caught by even well-intentioned lack of disclosure.

Igor Volovich So the question of compliance, right? We use compliance as the lens to look through, to look and assess our environment and understand our risk posture and our security posture. That’s been the historical model. Now, compliance, of course, is in itself complex. There are many regulations, there are many different frameworks. Tom, you mentioned CMMC coming down the pike. We, out there in the industry, we see a lot of heads nodding when we talk about CMMC. And when I mention that from the stage, when I speak at events, but we haven’t seen a lot of movement, we don’t see a lot of environments in the federal adjacent space moving towards actually adopting CMMC, at least not in a way that would be meaningful. And let’s remember CMMC is not a new framework. It’s another way to assess under existing frameworks like this 800171 and 172 right? So there is nothing drastically new about CMMC except, well, transparency and accountability, right? So CMMC 2.0 is really meant to solve the problems that CMMC one had and really create more integrity in the reporting structure. But let’s kind of take a step back and talk more at the macro level, just compliance as a whole, using compliance as a means of assessing one’s integrity, one’s resilience, one standing at a from a cybersecurity perspective, there’s a challenge there, right? Because compliance typically is used as a lagging indicator, not a leading indicator. And we can dig into what that means.

Tom Temin All right. Well, what is it a leading indicator of?

Igor Volovich So it should be a leading indicator of your existing current ongoing security posture. Right. But that’s not the function that compliance has been built up to be. Right. We’ve always accepted this historical perspective of compliance, and we inherited that from our friends in the financial audit because that’s where we got a lot of those ideas. Right. We capture past state. We look at controls, we look at our state, and then we record that and then at some point it winds up on some report and that report gets filed and then somebody signs off on it. And that’s the model. That’s the model that’s been for decades. And of course, in cybersecurity, things move too fast. And so you need to know where you are today, not where you were three months ago or in some cases, three years ago. Right. Triennial assessment cycles. That’s the common model, especially in federal space. So it’s not uncommon for us to speak to a federal client and ask them what is the oldest piece of information that is on a report that you’re holding up in front of us or you will be holding up in Congress when you have to testify after a certain breach. Right. And they go, well, some of this data is three years old and that’s normal. That’s common. They will break up their environments in threes and actually do it in thirds because that’s only the bandwidth that they’ve got. So we believe that that’s not the way to work, that is not the way to get value out of a compliance program. It’s certainly very much within the legal framework and within the acceptable norms of what compliance is today. But it could be better.

Tom Temin All right. And so therefore, it becomes a leading edge type of indicator or something that you are in front of before something happens.

Igor Volovich Correct, right. So we accept the timeline of real time now in security operations. We wouldn’t think of operating with data that’s more than a couple of minutes old. We want to be in I mean, in milliseconds. But when you look at security operations, that you look at security event management, you try to pull these data points in as fast as you can, process them, analyze them, get insights out of them. And so when you look at Fuzing, all that information from your intelligence operations, vulnerability management operations, all of that needs to come into that nerve center that we call the SOC, the security operations center. That’s where your smart analysts are sitting there and trying to understand what’s happening in real time. But we take a full pause and we will watch here over to the compliance department and say, well, what’s happening there? And they go, well, this is what happened three months ago or three years ago. Well, what value is that to me as a security operator? There’s been this divorce between compliance and security for that reason. We operate on different time scales.

Tom Temin And if you are the one that is responsible for the disclosure, if you are up to the minute and you say, gosh, an hour ago we just had a breach, that’s a lot more credibility. And probably you look more like you’re on the game than if you say, gee whiz, this happened two months ago. And the dwell time of this particular software was one month. So we don’t know what the heck happened. That’s the difference between the backward looking, the forward look.

Igor Volovich Correct? Right. Exactly. So with compliance, traditional level of compliance, we just captured that passed state. Nobody’s looking at compliance, although ostensibly, let’s remember what compliance was designed to be a tool of risk management. We want to capture state we want to understand if control has failed and we want to mitigate it or remediate. Right. Fix that control, make sure it’s not failed anymore. And we understand these controls are built on these frameworks that represent a posture that we’re trying to achieve. That is our objective state of security for an organization. And it’s built on the model of a threat profile. Right? So for our environment NIST 853 represents that kind of threat profile and the controls that would protect you and same thing across all different industries. CMMC of course, obviously that’s another good example. But we said that, we said that’s what compliance is for, but then we accepted this historical posture. And so when we identify a control failure, it takes months, if not years, to actually fix it. We take this different approach with compliance. We just accept the fact that we’re going to be looking backwards. So I call it rearview mirror security. We’re doing things in the past, so there’s no value to it, right? So when you talk to a security person, they look at compliance as this thing that we have to, it’s a gantlet, it’s a nuisance. It’s just this paper, this bureaucratic exercise that really doesn’t deliver any value to the security operation or to the security posture of the organization. Right. You’re always capturing past state.

Tom Temin To the question I asked a moment ago then, is there a way to automate compliance?

Igor Volovich Absolutely. We feel automation is not just something you do for automation sake. It’s not just another box to check, kind of like you’re checking the box in your compliance program today. Automation is really a way to converge the timelines between security operations and compliance operations. It’s really doing for compliance what DevSecOps did for IT. But it’s automating, operationalizing, bringing a lot of these things together, leveraging the resources that you have and actually creating additional ROI out of your existing security investments. ROI that’s sitting there dormant today, capturing historical past state, bringing it into the real time now, giving you a value for a security program out of your compliance program, bringing them together, and that’s what we call convergence.

 

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories