Despite the ever-growing list of cyber attacks and data breaches, agency chief information officers still find it difficult to get non-technology leadership support for cybersecurity.
At issue seems to be the continued struggle to identify the return on investment — the “you can’t prove a negative” that adding hundreds of millions of dollars more to the billions already spent on cybersecurity stopped a potential hacker. Additionally, the emphasis on IT modernization and the little-to-no increase in budget authority makes prioritization of any new tools more important than ever.
The Homeland Security and Defense departments may have found a solution to both the ROI and the prioritization challenges.
Jeff Eisensmith, the chief information security officer at DHS, said his office is merging two common cybersecurity approaches to give the agency a better way to measure and mark its progress. DHS created a cybersecurity maturity model that combines the defense-in-depth approach with a risk management process.
DHS established a scale of one-to-five to help explain to lawmakers, auditors or non-IT leadership about the agency’s current cyber posture and where it’s going in the future.
“The key benefit on top of that is we are able to pick a threat like spearphishing and pull that thread through that defense-in-depth maturity model and see where you need to make targeted acquisitions to get in front of that threat,” Eisensmith said on Ask the CIO. “It also helps me measure and feedback to the appropriators and leadership details on what the ROI was for that investment.”
Eisensmith said the maturity model lets DHS see the “kill chain” or stages of a real or potential malware attack to help them prioritize the parts of the network or applications that need to be hardened to keep hackers from doing more damage.
“Every time they come at me, we get a whole lot stronger,” he said. “It gives me the metrics to be able to say, if I’m always having a problem with link five, I can go back and say, ‘this is the root cause,’ and now I have generated a really good business case. For a security person, that isn’t always easy to do, and that is how I can signal a need for investment that gets traction.”
Eisensmith said the DHS CISO council reviews each of the components’ ratings on the maturity model, which then helps the council identify where potential investments are most needed.
At DoD, former chief information officer Terry Halvorsen launched a similar approach through a security scorecard initiative that measures the services’ and agencies’ cyber efforts. Halvorsen initially developed the scorecard to reinforce cyber basics like strong authentication and reducing the attack surface, and address systemic shortfalls.
“We meet with the services almost every Friday and we meet with the agencies typically on a monthly basis to see where they are on the 11 elements of the scorecard. The top four or five of those were the ones we took up to the deputy secretary,” said Essye Miller, the deputy CIO for cybersecurity at DoD, on Ask the CIO. “We worked with [former deputy secretary Robert] Work to drive the services and agencies to understand what they needed to do. I talked about pushing them to relook at their investment strategy and adjust, and that is exactly what he had some of them do.”
Miller said one example of that is the move to Microsoft Windows 10. The services missed their initial deadlines because it’s more complex and costly.
But Miller said Work told the military services to come back with estimated costs for the migration and look within their spending plans, where they can readjust or where reprogramming may be necessary.
“It gives it the level of visibility it needs to drive to the expected outcome,” she said. “Windows 10, obviously, postures us to have a secure operating environment and that is what we want. Our responsibility was making sure we are putting dollars where we need to, to get us there.”
Miller added all the services and agencies have come back with a plan to meet the March 2018 deadline.
Now DoD wants to expand the scorecard beyond the office for commodity IT. Miller said the next phases of the scorecard will address “programs of record” and embedded systems in weapons platforms.
“It’s not just identifying them and determining if they go to Windows 10, but what is the business case for some of them. It may be Linux. It may be Windows XP. We know there are issues there, so what do we need to mitigate those, if it’s not cost-effective for us or if the system at some point is already planned for decommission,” she said. “Those are the kinds of things the scorecard is driving us to, and that has been focused on compliance, so the next level is to shift that to more of a risk-assessment model.”
Miller said the CIO’s office is working with the Defense Innovation Unit-Experimental (DIUx) to find automated tools to conduct those risk assessments. The current scorecard is created by manual processes, and DoD would like to make it a more real-time tool. Miller said DIUx should have some options by the end of 2017.
Miller said DIUx will identify three or four tools that could meet DoD’s needs and then will pilot that software to get automated data feeds.
Like DHS, the biggest difference for DoD is the scorecard forced the services and agencies to know their IT environments better.
“Our first few months of this was complete discovery. Our numbers fluctuated because we were finding something new every month. We’ve seen the numbers stabilize across all the services. We know where our challenge areas are and where we need to focus. It’s a little bit different for each of the services, but we know what they are and we can address the actions to close the gap there. We have an idea who we are and what we are, now we have to figure out how to close the gap for the problem areas.”
Eisensmith said its maturity model has had the same impact of ensuring DHS knows its cyber strengths and weaknesses, and can describe how to close those gaps to non-IT leaders.
“What we are doing is using the maturity model to say ‘here is where we are today,’ and it’s easier to articulate a gap. After that investment, it’s easier to show whether that investment was effective. So it’s changed the conversation significantly,” he said. “You need something beyond the cyber framework to get to the fine-grain details of future investments, and this is what this tool is.”
Eisensmith said DHS has shown the maturity model to lawmakers and to the Office of Management and Budget. He said OMB is interested in broadening the scope of how the model is used.