Officials talk candidly about workforce cyber hygiene
Better governance, improved accountability and more training are needed to improve cybersecurity.
Cyber experts from both the public and private sector say better governance and more accountability in the federal workforce are needed in order to improve cybersecurity.
National Institute of Standards and Technology Fellow Ron Ross said the bigger problem "is a governance issue; it's about leadership ... I think we have to turn the corner at some point and start to take a hard look at what we are doing and see what we can do better." Ross spoke at an April 25 event hosted by the Institute for Critical Infrastructure Technology's in Washington.
A household name in the cybersecurity arena, Ross said that, given the size and scope of databases that are now common, it is essential to have that accountability factor. In the case of the Office of Personnel Management, for example, he argued that the breach might have been avoided if there was a better structure governing who the authorizing officials are for systems usage.
ICIT Fellow Dan Waddell added that there needs to be more resources devoted to cybersecurity training for the workforce. "Systems need patching, but people need patching too," he said. And such training can't be limited to the tech specialists, he stressed; getting employees in other departments to internalize good cyber hygiene makes them a greater asset to the organization. It's "not just educating the cyber workforce," he said.
As awareness of the threats posed to agency networks continues to grow, and lawmakers continue to pass more legislation aimed at protection, it adds another level of spotlight on the topic. Thomas Boyden, also an ICIT fellow, said that visibility is another important reason not to risk the "keys to the entire kingdom" by granting even legitimate users unnecessarily broad access. Even within private industry, he said, compartmentalizing access is still a hard shift.
Ross stressed during the event that changing the culture at agencies is integral to the overall success, and challenging institutional bureaucracy is just as important because "those are things that are going to bring you down faster." And he and his NIST colleagues have been working on Special Publication 800-160 to help encourage such evolutions. The approximately 300-page document, scheduled to be published for public comment on May 4, explores how agencies can improve their security posture no matter what stage of the lifecycle their systems are in.
"Systems engineering and security engineering [are] a worldwide problem," Ross told FCW after the event. "Therefore the solutions are going to involve government, industry, and academia, and the not-for-profits, all in this great partnership working together to try to really solve this problem once and for all."
"The whole purpose of this document is to give people flexibility no matter where they are in lifecycle to do things that are going to help them be more secure and build systems that are more trustworthy," he said.