To protect high value assets (HVAs), Federal agencies need to fully deploy the Continuous Diagnostics and Mitigation (CDM) program, clearly communicate strengths and weaknesses to leadership, and ensure system owners have a stake in their CDM deployment, explained Jeff Eisensmith, former CISO at the Department of Homeland Security (DHS), during a MeriTalk webinar on January 12.
Eisensmith’s advice came alongside findings from MeriTalk’s research, Defending HVAs, which found a strong desire among government and industry stakeholders for the CDM program to increase its efforts around HVAs. Eisensmith agreed, emphasizing the benefits of visibility for both security and operations.
“There really aren’t any of the CDM capabilities and requirements that don’t fit the HVAs, but ones that I think stand out are auditing and authorization,” he said. “There’s nothing that IT operations loves more than an HVA going down in the middle of the night. With your CDM tools, it’s pretty easy to go back in time and identify who touched that system last, and who broke it … making sure that CDM tools – which are security tools – are helpful for operations as well,” he added.
As DHS CISO from 2013 to April 2018, Eisensmith shared how his team singled out HVAs for monitoring and the important step of turning that data into useful information for DHS leadership, with an emphasis on making it useful for non-IT management.
“One of tools that I used to use when I was the CISO of DHS was that I would create an HVA specific CDM scorecard. I could get that in front of funding decisions and resource decisions. For instance, System A, an HVA, was going before the CFO Council for a major procurement decision, and I would show up with that system scorecard and say, ‘Well, they’re looking to make a lot of investments, but their security is lacking.’ It didn’t make me a lot of friends, but it did get their attention” he recounted.
He strongly recommended the scorecard approach for other agencies and explained how it could help win support and overcome a lack of funding – a problem that 49 percent of agencies identified as a challenge to protecting HVAs in MeriTalk’s research.
“If you create a system specific scorecard, it’s much more impactful – to be able to show that scorecard, clearly identify who the system owner is, and call them out if they’re saying security isn’t that important. Without that level of granularity specific to a system, you’re speaking in generalities and you’re not likely to get traction talking to upper management about things that need to change,” he said.
A key part of the scorecard approach is reaching system owners and making sure they have skin in the CDM game. Eisensmith recommended that agency CISOs single out low-performing systems and system owners that are trying to avoid scrutiny, and try to get CDM implementation into their work plans.
“Most agencies probably don’t have performance work plans done for leadership yet, so there’s probably still time to suggest to leadership that operations and system owners and sometimes even CFOs get CDM success into their work plans. There’s no better way to an SES-er’s attention, or a GS-15’s attention than saying ‘it’s part of the work plan’.”
To hear more from Eisensmith on CDM and HVAs, view the full webinar.