The Federal government is increasingly pushing for cyber resilience in the face of unrelenting attacks as a mission-critical capability. But getting there is no easy task.
Military and private sector panelists at MeriTalk’s Cyber Central event in Washington, D.C., on Oct. 27 shared their insights on the essential steps for the Federal government to build out cyber resiliency across critical infrastructure.
First and foremost, the panelists explained, Federal agencies must understand the ins and outs of their networks. By understanding how their networks behave, agencies can then better detect suspicious activity.
“As [the National Institute of Standards and Technology] report stated, before you begin any cybersecurity journey, you need to have a clear understanding of the behaviors within your network,” said Andy Stewart, national security and government senior strategist for cybersecurity at Cisco.
But understanding your networks also means having a clear focus on data governance and identity access management, added Renata Spinks, assistant director, and deputy CIO at the United States Marine Corps.
“When we thought about security in the past, it was a lot of talk on prevention and operations. Now there is a focus on detection, response, and recovery,” Spinks said. “A part of that move is clear governance on identity access management, knowing who is in your network and what they are allowed access to and when.”
In addition, Spinks explained that forcing change upon an agency workforce culture is a critical mistake to avoid. While the need for cyber resilience has become a popular idea, not every staffer at a Federal agency wants to change the way they’ve operated for years.
“We cannot expect people to change just because we tell them to change, and if we go about it that way, we are surely going to fail,” Spinks said. “We need to explain to our workforce why the change is necessary and how that change will be beneficial to them.”
In addition, she explained that when building out cybersecurity resilience, Federal agencies need to remember that the people in an enterprise are an essential key to that process. Therefore, agency leadership must reinforce security goals and communicate those goals across the entire enterprise. There also needs to be a focus on continuous education of cyber practices for the workforce “because cyber is not just an IT problem,” she said.
Stewart concurred with Spinks’ assessment that people are a critical area in building security resilience. He added that Federal agencies “must focus on the people within their organization, and the technology and processes will follow.”
Spinks also explained that achieving cyber resilience takes a village; one individual can’t do it alone. This, Spink specified, is where “we bring in the private sector and academia to offer their insights, solutions, and capability to ensure we achieve that security resilience we are striving for in the Federal space.”