The Department of Health and Human Services’ employees protect the personally identifiable information of more than 100 million people, and as one of the largest bureaucracies in the federal government, must defend a sprawling network against a growing number of intrusion attempts.
The National Institutes of Health, however, is taking a “people-centric approach” to this cybersecurity challenge, Jothi Dugar, the chief information security officer of NIH’s Center for Information Technology, said in an interview with Federal News Network. That approach, she said, exists as the central theme of the agency’s new Optimize IT Security initiative, which views NIH’s workforce as its greatest asset – not its greatest liability – in combatting cyber threats.
“When we look at people, often you hear in the cybersecurity world [that] people are your weakest link, and I take great offense to that,” Dugar said. “We’re looking at people through the Optimize program as our biggest assets. Because why are we focused on cybersecurity anyway? It’s to protect our people, our science and the data.”
The Optimize IT Security effort, one of eight programs launched throughout HHS to increase the efficiency and effectiveness of its operations, looks to empower employees with the information they need to identify suspicious behavior, such as phishing emails, and make employees feel comfortable reporting these anomalous activities to cyber personnel.
As part of this approach, NIH identified 13 different user groups across the enterprise with access its networks, and is tailoring cyber-awareness approaches to positions such as clinicians, researchers, scientists and emergency management personnel.
“It’s not just one-size-fits-all – and that’s generally the approach that’s used in cyber — that if it works for one person, then it should work for everyone,” Dugar said. “What we found was when you have these different types of stakeholder groups, especially at an organization such as ours … we have a whole slew of stakeholders who have different roles. We want to tailor the approach to each of these groups, so that it really resonates with them.”
The Optimize project also will rethink cybersecurity training from an employee engagement perspective, and move away from check-the-box experiences like the annual cybersecurity awareness training most federal employees go through.
“Most people, if they don’t see any relevance to it in their role, will probably just click ‘next’ 100 times and get a certificate, and then that’s it. They feel like their role in cyber is just that half an hour that it took to take the exam, and they don’t have to think about it again for the rest of the year,” Dugar said, adding that all NIH employees should consider cybersecurity and cyberawareness part of their day-to-day responsibilities.
“We’re trying to change the culture to engage our employees [and] all of these different stakeholder groups, not just our IT department, and really communicate with them,” she added.
While the Optimize IT Security program invites employees to participate and crowdsource ideas of how to improve cyber practices at the agency, Dugar said leadership also will hold employees and staff accountable for working in a cyber-safe manner.
“It’s always the balance between the carrot and the stick, so we’re providing them multiple opportunities for growth, knowledge and awareness [and] understanding their pain points. But at the end of the day, we also have to ensure that everyone’s aware that this is a requirement – it’s not an optional thing anymore for cyber to be to be looked at as, ‘OK, I’m a clinician or scientist, I’m just going to take my course and I’ll be done with it now,’” Dugar said. “They’re going to be expected to incorporate cyber-safe behaviors into the role that they play.”
Sandra Scarbrough, the chief of strategic planning and business transformation at NIH, said more than 100 employees have volunteered to play an active role in improving the agency’s IT security, even if they don’t work in IT or cyber positions.
“We feel that that the non-IT staff members are really valuable and important. They’re there to support the science,” Scarbrough said.
Out of those 100 volunteers, a dozen officials, including the agency’s human resources director, have volunteered to serve as cyber champions, who will serve as points of contact for cybersecurity questions that employees may have.
“Being a cyber champion is being that person [who] everybody can go to within your organization if they have any questions. You are out there and providing information to people so that they understand what the dangers are of spear-phishing, or [helping them understand] how to report something,” Dugar said. “That’s really part of that sustainment piece; to ensure that this continues on, even after this huge campaign is over. They’re still going to be meeting and they’re still going to be sending out the message to NIH about cybersafe behaviors.”