A Government Accountability Office (GAO) director of cybersecurity and IT advised Federal agencies today to get ready and stay ready for when cyberattacks are inevitably going to take place.
During today’s Rubrik Public Sector Virtual Summit powered by MeriTalk, GAO’s Jennifer Franks highlighted that both cross-agency and internal information sharing are key to mitigating vulnerabilities in real time.
“It’s not if, it’s when,” Franks said. “We have to stay ready and get ready [for] when things are going to be coming.”
“What’s been really helpful lately is the information sharing partnerships that have really been happening across the public sector – we just need to accelerate that a whole lot,” she said.
“We are alerting ourselves to the vulnerabilities that are impacting our different agencies and the criticalities of how we need to mitigate them, and we’re doing so in real time to let others know that it may not have happened to you, but these are the things that are helping us to remediate,” the GAO official said.
Franks emphasized a key aspect of preparedness – making sure that all leadership ranks within the Federal government are educated on cybersecurity.
“No one really wants to then understand cyber once an event happens and your organization is in the news,” Franks said. “Having all those executives understand from the beginning of the life cycle why we need to be prepared, what this impact looks like to the criticality of the data and the organization, and really making sure that everyone understands what the key priorities are to keep us on the cutting edge of the technologies and the resources that we have and what’s to come.”
Matt Hayden – GDIT’s VP of cyber and emerging threats and former assistant secretary for cyber, infrastructure, risk, and resilience policy at the Department of Homeland Security – emphasized that agencies need to have a cyber incident preparedness plan in place, and they need to practice it with everyone involved on the day of an attack.
“[Exercising] really illuminates where some of those road bumps are,” Hayden said. “You have a very strong plan, and you execute that plan, but until you go through the scenario of an actual event and break open those binders and have everyone do their part, you really don’t have the true feel for it.”
He emphasized that agencies need to learn how to operate in an environment that “is taking the punch.”
“That’s where that adapt mindset comes in,” he said. “We may have some services that aren’t at their full functionality or full feature set, but we’re still able to perform at a mission advancing level with some protections in place when we know we’ve got an incident to respond to, or we know we’ve got a challenge at hand.”
