Amid a rapidly evolving digital landscape that has made data security a top concern for Federal agencies and industry, holistic and continuous approaches to cybersecurity are important for safeguarding data and applications which depend on secure data, the chief information security officer of the Consumer Financial Protection Bureau (CFPB) said on Sept. 25.
Speaking at a NextGov event on Sept. 25, CFPB CISO Tiina Rodrigue emphasized the dynamic nature of cybersecurity and described it as an iterative process that requires constant vigilance.
“Data security is not a destination, it is the way,” said Rodrigue, who called for security to be embedded at every phase of product development and maintenance.
“Think about how, through emergence, they’re able to connect and create wholes which are more than sum of the parts,” said Rodrigue. “You also need to think about your product development mindset and how […] you’re taking into account the aspects of security, zero trust, supply chain, risk management, resilience, systems thinking, so that as you do your research and create your minimum viable product […] you’re able to create that identity, logging, monitoring, data protection, availability, all of those things.”
In addition to embedding principles like zero trust and resilience into the ideation and operational phases of cybersecurity planning, Rodrigue emphasized the need for rigorous testing including static application security testing (SAST), dynamic application security testing (DAST), and penetration testing for external-facing software.
Rodrigue also noted the importance of third-party security attestations, required by the Cybersecurity and Infrastructure Security Agency (CISA) and the Office of Management and Budget (OMB), to pinpoint weak spots before they become security risks.
“You think about all of the inputs to the system as that which could be a possible source of malware, much like a river can be polluted and it gets more and more concentrated, you can see that each point of input can have a cascading effect further with the attestation letters,” Rodrigue said. “Part of what we’re able to determine is where third party software producers feel confident that they are doing the right thing, and, more importantly, where third party software producers are not confident in their capability.”
Beyond technology, Rodrigue said that cybersecurity is “everyone’s job,” and called for continuous training and competence building.
“Ensuring our people are trained, competent, have the critical thinking necessary in order to keep resilience top of mind – and that this is not a point in time, but an ongoing constant review, because the risk itself to data security is dynamic, and that you must harden iteratively,” she said.
“It’s difficult, and it’s trending towards more difficult, but once we recognize that cybersecurity is everyone’s job, then you’ll have people with their cyber smarts and their cyber hearts in the right place,” she said.
