When ISC², a non-profit focused on cybersecurity education and certification, conducted a survey of chief information security officers for federal agencies, it found three major concerns that permeated the results.
First, it found that “there needs to be a focus not only on educating the cyber workforce, but educating the workforce on cyber,” said Dan Waddell, the North American division manager of ISC²,during Cybersecurity Awareness Month.
This first concern is pretty standard both within government and the private sector. Users are widely seen as any system’s greatest vulnerability. Hacking strategies like phishing seek to exploit this weakness.
Waddell pointed to the breach at the Office of Personnel Management as an example of this; he said it wasn’t so much the technology as the people that were vulnerable. The message of cybersecurity wasn’t permeating the agency.
In addition, Waddell said that users regularly circumvent cybersecurity controls in the name of convenience, like installing DropBox on their machines rather than obeying more complicated protocols for file transfer.
Greater buy-in from different departments would also help, Waddell said, especially human resources.
“One of the things that we found in the report was that there was certain feelings in other departments such as HR that cybersecurity wasn’t their job,” Waddell told Federal Drive with Tom Temin. “And we really think that HR is a great vertical to be able to help spread the positive culture of cybersecurity.”
With collaboration from HR, cybersecurity could be included in day-one orientations, helping to create a culture of cybersecurity within agencies by introducing the tools and policies immediately.
But HR also has a role to play when it comes to executives.
“Think of it in this aspect: if a security administrator, who has all the keys to the kingdom … if for whatever reason that person leaves the agency, guess who’s going to be responsible for clicking the button to make sure that access is revoked,” Waddell said.
The second main concern of the CISOs was resources.
“We talk about having the need for accountability,” Waddell said. “They want to be accountable, but in order to do that, they need the budget, they need the resources, they need the tools in order to really execute the job.”
Waddell said there are currently some movements in that direction. For example, cybersecurity plays a large role in federal Chief Information Officer Tony Scott’s $3.1 billion IT modernization plan. But that plan hasn’t been approved.
“I’ve heard recently that Tony Scott is kind of crossing his fingers and hoping something like that would be approved. We just don’t know yet,” Waddell said.
However, at the agency level, some progress is being made.
“Certainly, [the Department of Homeland Security] is doing their part to provide some shared services to help protect against some of these threats,” Waddell said. “A lot has been talked about EINSTEIN 3A, which is basically their intrusion detection system.”
The system was approvedfor use by all agencies in 2015, but to date only two-thirdsof agencies have actually adopted it, although agencies are required to adopt it by Dec. 18.
“It’s a tool in the toolbox,” Waddell said. “I guarantee it was not designed to be one-size-fits-all. It’s a capability these agencies can leverage.”
He said the main goal of the program is to give DHS greater visibility across government systems.
“You really look at EINSTEIN as kind of a traffic cop, being able to direct traffic in and out and raise awareness for things that happen,” Waddell said.
So if one agency gets hit with a cyber attack, DHS can help spread the word to other agencies, which can adjust their controls to protect against the vulnerability.
This is just one way in which shared services can provide resources for CISOs to be more accountable.
“I think another example — maybe even a better example — of a shared services model that could really work would be on the workforce,” Waddell said. “We talk about having some sort of a cadre of cybersecurity professionals in a shared-services model that rotates across the agencies. I think that would be a great model.”
He said cyber employees get bored and don’t want to spend 10 years at the same desk. They may even want to jump into the private sector.
And this is the third major concern of CISOs according to the report: training non-cybersecurity employees to help bolster the cyber workforce.
“We also talked a lot about having some training dollars set aside to not only train the cyber workforce — the security engineers, the security administrators, the developers — but also the non-cyber employees,” Waddell said. “We talk about the cyber workforce shortage, and we’re certainly doing our part to solve that, but not everyone’s going to be a [certified information systems security professional].”
He pointed to the National Protection and Programs Directorate within DHS as an example of an agency with a certification reimbursement program.
“If an agency invests in that talent, in that cyber workforce, they’re more liable to stick around,” he said.
Waddell said a trained cyber corps can help share resources among government agencies, as well as help integrate contractors into agency cybersecurity.
“We’re starting to see some of that organically,” Waddell said. “I know when I was a federal government contractor, a lot of my coworkers re-badged and became federal employees, and obviously the reverse happened as well.”