Cybersecurity considerations for both government and industry have to include leadership, supply chains, mobility, and other components in order to be effective, according to experts who spoke at PCM-G’s Mission First event on July 27.
“I’ve watched, over the course of many decades, folks follow shiny objects. Today’s shiny object is called ‘cyber,’ ” said Edna Conway, chief security officer of Global Value Chain at Cisco Systems. “What I’m concerned about is that folks are thinking only about cyber in isolation of a comprehensive view of physical security, logical operational security, as well as security technology.”
“Every once in a while, lift your head up from your own operations and think about what’s going on outside,” said Brig. Gen. Steven J. Spano, president and chief operating officer of the Center for Internet Security and former director of communications at Headquarters Air Combat Command, Langley Air Force Base, Va.
According to Spano, many of today’s biggest cyber events are caused by a lack of basic cyber hygiene.
“About 75 to 80 percent of vulnerabilities could be mitigated, known vulnerabilities, through configuration patching,” said Spano.
He explained that in his experience with the Air Force, it was often difficult to convince leadership to invest in cybersecurity when physical security and resource issues seemed more pressing.
“In the past, I’ve always viewed the focus was always on tactical operations in cyber,” said Spano.
“It was the IT professionals trying to convince the operators and the senior leaders that cyber is a compelling threat. It’s just not wires and nodes and networks and geeky stuff,” he said, explaining that issues like supply chain security, ensuring that the products purchased come from trustworthy sources that focus on security, was one of the issues that fell by the wayside. “Supply chain gets very little attention at the senior levels because they’re focused much more on the tactical levels.”
Conway pointed to the fact that even small changes or deficiencies to the hardware of devices bought by organizations can have huge negative effects.
“You can’t defend your network if you don’t know what’s on your network,” said Lauren Burnell, CISO and engineering services manager for PCM-G and former U.S. Navy Cryptologic Warfare Officer.
Spano said that for him the basics for cyber hygiene were to keep count of all the devices on your network, configure them to work as they should within the network, control what is allowed on the network, patch vulnerabilities quickly, and repeat the process continually.
According to Burnell, Federal agencies are also going to have to get a lot faster at onboarding new technology, particularly mobile devices, due to the millennial workforce moving into the government.
“While we as government really do have to start thinking about mobility strategically and for the masses in our mission, [the reason] we have to start thinking about that adoption now is because, honestly, the next generation of public sector workers are going to have certain expectations of the technology they’re going to need,” said Burnell.