Shortly after her induction into the 2024 class of Cyber Defenders, we were delighted to grab 20 minutes with Megan Kane, Risk Management Branch Chief at the Department of Homeland Security’s U.S. Citizenship and Immigration Services component, for a talk about the critical importance of risk management along with the hot-button challenges of supply chain risk management, the advent of AI in security, continuous monitoring, governance improvements, and zero trust implementation.
MeriTalk: Megan, big congrats on the Cyber Defender award! Can you tell us a little bit about your job and the security work you are doing at DHS?
Kane: I’m the Risk Management Branch Chief at U.S. Citizenship and Immigration Services (USCIS) within DHS. My team is responsible for security authorization, ongoing authorization, POA&Ms (plans of action and milestones) and everything that supports the risk management framework – Basically, anything that is FISMA (Federal Information Security Management Act) compliance-related comes through my team.
I’m responsible for making sure the ISSOs (information system security officers) in the agency are properly trained, that they are designated, that they know what they are responsible for, and that they are doing the appropriate work. It’s important that they are not just focused on checking the box for security, but that they actually have the tools they need to look at their system security posture and make good recommendations to the people that make the decisions.
My team also oversees vulnerability management and configuration management – those are newer programs for us. We used to manage vulnerabilities by pointing to the ISSOs “Hey, go get your vulnerabilities patched,” but now we’re really focused on driving remediation and solutions for the enterprise, following consistent processes. We’ve been having a lot of success with this approach.
MeriTalk: If we had spoken before the CrowdStrike disruption, my ears would not have perked up quite so much on the configuration mention…
Kane: (Laughs) If something gets pushed out and somebody didn’t test it properly, or there is an outage, we’re the first group people call, asking what we are doing, what is the ISSO doing, and if it was a cyberattack.
What I think was most interesting about that was just the global scale and how quickly it just locked people up. I have friends working in the private sector asking me about it and the answer is simply, somebody forgot to test. It was a mistake that caused a lot of chaos.
MeriTalk: In the bigger picture on security, what are some recent policy and tech trends you are seeing that are helping to improve security and that we should be doing more of?
Kane: I think supply chain management is one of the biggest tech trends. Supply chain management is huge at DHS, and we’re part of working group to standardize capabilities for assessing and mitigating cybersecurity supply chain risks. We’ve definitely seen a larger focus on this and a shift in policy since the 2021 cybersecurity Executive Order and Log4j.
While USCIS is 90-plus percent cloud-based, cloud still continues to be a tech trend that will improve security. I recently participated in a market research group, where other government employees were talking about their current migration to the cloud. I was surprised how many agencies are just starting their journey.
Software as a service continues to be a trend, with so many products available now. Changes to FedRAMP (Federal Risk and Authorization Management Program) are coming along, but I think the newer changes are going to make it even more complicated for small businesses and their ability to get authorized. It’s already a cumbersome and expensive process but now it seems like this new process may slow that down even further. When I talk to vendors, one of my first questions as somebody who works for government is “Are you FedRAMP” and if they say, “Not yet,” I immediately think about the hurdles we’d face to authorize the product due to governance limitations. It’s unfortunate because there are a lot of cool products that haven’t been FedRAMP authorized.
Another trend is adopting data driven continuous monitoring processes. I think continuous monitoring is shifting – at least from what we’re seeing at DHS agencies – to more of a continuous assessment approach. I’m in favor of it but I’d like to see more common-sense governance around it.
As for what we should be doing more of, I would say governance – we need solid, sound common sense governance and to evaluate some of the archaic policies that we currently have, thinking about making sure that compliance is more of a byproduct of security, and that we’re really focused on managing risk. If we are doing that, and we are doing that properly, compliance should fall in line.
MeriTalk: Also in the bigger picture, what looms large for challenges in improving security?
Kane: AI is going to be a challenge especially with getting good governance around it.
In my opinion, the immediate impact at USCIS is not necessarily AI, but more so container security. We’re leveraging containers in almost all of our application development and one of the biggest challenges is vulnerability management and configuration management of these containers. We’re seeing that with our cloud service providers, the vendors are struggling with that as well.
The other thing that really stands out to me is zero trust. I think there are challenges with understanding what the concept is, then determining your capability and maturity. Unlike the tried and true risk management framework, I don’t believe that there’s any real roadmap and framework out there available for zero trust. Similar to AI guidance, a lot of it is theoretical and high-level at this point, but nobody’s saying “here’s the path, follow this.” I see that as being a big challenge.
MeriTalk: How did you find your way to the tech security field, was it something that always seemed like a natural path or was the path more complicated?
Kane: It was definitely an evolution for me. I went to school for a communications degree, and I had wholeheartedly intended to work for a nonprofit, but then realized that work wasn’t for me. I moved to the D.C. area in 2009, I was working at a union, and a friend told me about openings at DHS. I didn’t have much experience, but they gave me a chance and it’s become a very interesting career. It’s really been a wild ride.
Since 2011 I have worked for the USCIS Information Security Division doing risk management. I started out providing ISSO support and worked my way up to leading the branch. Although I’m not a hands-on technical person, I’ve been in a variety of different positions within the team and know a lot about the work and how our Agency’s programs fit together. There are so many really smart people working on our team and at USCIS. If we can continue to tap into them, and give them opportunities, we’ll be unstoppable.
MeriTalk: Final question – what do you enjoy doing in “real life” that doesn’t have anything to do with technology and security?
Kane: I’m getting married in October, so wedding planning takes up a lot of my time. I’m also a Cleveland Guardians fan and have been watching a lot of Cleveland baseball this summer.