INSIDE THE

Cyber Security, the New Era of Collaboration

When faced with crises many organizations either fold or innovate. At yesterday’s AFCEA Bethesda monthly breakfast, the tune was collaboration and consolidation of best practices across agencies. The panel represented a cross section of agencies with different constituencies:

• – Holly Ridgeway, Deputy CISO and Program Manager Justice Security Operations Center, Department of Justice (DOJ)
• – Dan Galik, CISO, Department of Health and Human Services (HHS), and
• – Gil Vega, Associate Chief Information Officer for Cyber Security and CISO, Department of Energy (DOE).

Each CIO/CISO has a different directive of IT assets to protect and manage: DOJ has 42 law enforcement components across federal, regional and local jurisdictions; DOE manages critical information from scientific research labs such as Los Alamos to nuclear reactors; and DHHS manages biomedical research as well as information on single-identity cards.

Similar to the transformation that happened with the CIOs moving up the executive management ladder to sit at the executive decision-making table, so have the CISO’s  moved to the executive decision-making level to assess the risk that each agency encounters as incidents happen. Also similar to the CIOs who reactivated the CIO Council a few years ago, the CISOs have established a CISO Council to share best practices across the federal government.

Moving forward, CISOs are being forced to move from compliance to being more technology and end-user experience focused. It’s no longer enough to be the keepers of the rule book.

Ridgeway, a leader in cyber security innovation, describes DOJ as “investigating, prosecuting and incarcerating all the bad guys.” So the bad guys are after DOJ frequently including Anonymous, which keep them on their toes.

Her new tool is a dashboard that provides real-time network status data. The next step for Ridgeway is developing “risk scoring,” which will allow her team to evaluate data risks and how to approach them.

All the CISO’s identified mobile as a new challenge as the workforce demands access. As Galik described, people don’t want to take two steps back in technology at work, vs. what is available to them on their personal devices. DOJ has 10 pilot programs in place to scope out the issues of security, interoperability, inventory and security of various devices in different environments.

Ridgeway also identified developing a more collaborative work environment between the CISO office and other departments in any agency go a long way in establishing a more secure environment. As incidents happen, individuals involved are not put on a “wall of shame” but rather calmly and clearly educated on how the incident happened and how it can be prevented in the future.

Vega shared, “The nirvana of incident response is empowering the front-end users to understand the connections between cyber security and supporting the mission of their agency so they take responsibility of being vigilant with the IT tools at their disposal.”

It’s the responsibility of the front-end user to use their IT safely and within recommended policies and procedures rather than working around them. It’s also the responsibility of leadership to listen to the front-line users input so they understand the day-to-day tasks needed to support the mission.

Mechanisms for this feedback should be in place so end-users can continually provide feedback as to how cyber security is implemented on the frontline and how it needs to morph to protect against ever-changing cyber attacks.

Underlying much of this is the human element. We can build secure networks but our personnel that interfaces with it every day has to understand their role in cybersecurity. This is still a large challenge to overcome.