‘Data is my new perimeter’: CISOs cope with challenges of remote workforce

You’ve heard the truism before: Cybersecurity is a moving target. That took on a whole new meaning with the onset of the coronavirus pandemic, as the federal workforce moved en masse out of their offices and into their homes.

Suddenly, federal cybersecurity professionals were looking at a completely new challenge: How do you secure a primarily remote workforce?

“The data is my new perimeter. No longer am I concerned about those that are inside the walls of USDA. Now it becomes what happens that my data is now in the many homes of over 100,000 people who use it at the Department of Agriculture, and how do I as a CISO address that?” said Venice Goodwine, chief information security officer at USDA, during the July 14 Splunk Cloud Virtual Summit. “And so as a CISO you start to look within your toolbox and really understand what do I have in my toolbox to use, based on the investments I’ve made, that will give me the answer to that question: who is accessing my data? How are they accessing my data? Where is my data moving to?”

To be fair, this is the direction cybersecurity has been heading for some time anyways, Goodwine said. The coronavirus pandemic merely accelerated the changes, as it has in so many other fields. And many agencies have already been laying the foundation for this change through their cloud investments.

Advertisement

To the visibility question, Goodwine said the key component here is zero trust. CISOs need to understand what assets need access to what data, when, and why. And if they need access to the data today, will they still need access tomorrow?

In some cases, that comes down to authentication, and developing new ways to do that. For example, the Education Department’s Personal Identity Verification badging stations were closed for several weeks, which unfortunately coincided with a surge in onboarding. So the department did a five day sprint to come up with alternative methods for issuing equipment and leveraging strong authenticators without the traditional method of the PIV.

“Where I’ve been exceptionally proud of my organization is they have leaned forward and said, ‘because we’ve always done it this way’ is no longer [an] acceptable answer. And so there is that opportunity to press hard and say, how can we get to yes?” said Steven Hernandez, Education’s CISO, during the cloud summit. “So the disruption has been overwhelmingly positive for us, because it’s forced us to think outside of tradition, it’s forced us to think outside of status quo. And frankly, in many cases, we’re not going to go back to the prior ones.”

And this perspective of forging ahead, taking advantage of the disruption and not looking back seems to be pervasive; Goodwine expressed similar sentiments.

“We were already on a path to start our build trust journey. And really, this just catapulted that. We have a strong ICAM program, which is the foundation we’ve made investments on to understand what’s on our network, either through our tools or other investments,” Goodwine said. “And now we’re just moving faster because as you noticed during COVID, we were issuing policy and direction that would normally take months, and did it in weeks. So there’s no sense to go back to that.”

And that sentiment includes old paradigms for work. Even as some agencies begin to reopen, Goodwine said she expects to see more of a hybrid workforce going forward, with expanded remote work options.

“We’ve set, I think, somewhat of a new standard on how we do business, in how nimble we are, how adaptable we are. I think we’re going to have to stay that way,” she said. “To try to go back into an old way, I think would really be a detriment. So I’d like to take what we have and now this is what our new norm is. And then we just build from there. Everything you do in IT starts with a baseline. I think COVID is giving us just a new baseline on how we’re going to do business and provide services to our customers.”