The Defense Department implemented a back-to-basics cybersecurity program in 2015, establishing a cybersecurity scorecard as “a means for the Secretary of Defense to understand cybersecurity compliance at the strategic level by reporting metrics at the service tier.”
The DoD has made significant progress in establishing an improved cyber baseline, and now is planning a move to a more risk-based approach, said Ed Brindley, acting DoD deputy chief information officer for cybersecurity.
“We often refer to this as good cyber hygiene,” Brindley said.
Although the scorecard has been successful in its limited goals, it does not by itself ensure DoD’s networks and data are secure.
“It effectively shows us a level of compliance with DoD cybersecurity policies, but it doesn’t tell us about risk. If we understand the risk, that means we understand the threat level. The current scorecard doesn’t tell us that,” Brindley said.
To take the step from compliance to risk management, DoD is automating the current manual process of gathering scorecard data to enable a better understanding of the threat landscape that is closer to real time.
“Over the past two years, we have been able to move from a manual scorecard to an automated version for the collection and analysis of the data used in the current scorecard,” Brindley said. “However, we acknowledge more work remains to achieve an endurable process. Scorecard version 2.0 will seek to shift our paradigm. Instead of maximizing our cybersecurity compliance, we will shift the focus to managing our cybersecurity risk.”
This will better equip chief information officers and chief information security officers to focus on the greatest threats to DoD missions, he added. While DoD pursues the tools to automate the collection and understanding of security data, it is important to remember that automation by itself does not provide a complete cybersecurity program, said Katell Thielemann, research vice president at Gartner’s federal public sector
“It is important to think of it in terms of a spectrum,” Thielemann said. “Security as a practice is prime for automation.”
One of the drivers for automation is the limited talent pool in which the private sector, civilian agencies and the DoD compete for workers.
“We never seem to find enough people,” Thielemann said.
Another driver is the increasing complexity of the IT environment. People cannot operate at machine speed. But automated tools should not be looked at as a replacement for humans.
“The goal should be to make the best use of people, not completely remove them, by automating what we can and allowing humans to do what they do best,” Thielemann said. “That’s much better than having people do everything or do nothing.”
Automation can be leveraged for gathering data and evaluating it at a high level, looking for trends, correlations and anomalies. In non-critical situations, where responding to a false negative or false positive would not result in undue harm, some responses can be automated. This is what scorecard 2.0 will help do, Brindley said.
“We will integrate new data based on cyber threats, impacts, likelihood and the current data about our vulnerabilities,” he said. “As we continue to automate more of the data sources, we will also be able to provide ever more dynamic and accurate information” for human analysts.
Humans will be freed to analyze the data gathered and flagged by tools, making mission critical decisions based on real-time risk when necessary. The result should be not merely compliance with cybersecurity policies and requirements, but effective risk management and improved cybersecurity for DoD systems and networks.
There is no firm timeline or hard transition deadline for moving to scorecard 2.0, Brindley said. The first step is identifying the right tools for automating processes.
“The evolution to scorecard 2.0 has been promoted as a top priority by CIO leadership, and DoD is actively pursuing the acquisition of a tool to assist in that process,” he said.