Cybersecurity is a fast-moving target, particularly in the public sector. With constantly changing mandates and compliance requirements, it is hard to keep up. Since the Office of Personnel Management compromise in 2015, government security leaders have been in overdrive trying to strengthen their organizations’ security measures to stave off the next major breach. This focus on cybersecurity in the public sector has also made the “government needs to be more like industry” cry louder than ever. Unfortunately, it is also more wrong than ever.
I know this because I routinely hear from and ask questions of security leaders from both commercial and public sector organizations, and the top problems are categorically identical: talent recruitment and retention, skills gaps, budget challenges, and a constant stream of new threats for which to look out.
The hard truth is, despite 30-day cyber sprints, creating a promising Continuous Diagnostics and Mitigation Program, acquiring the latest tech and checking off every other “best practices” box, we are playing catch-up with our adversaries. And we will continue down that path until we change tack.
What is the solution I offer to end your adversarial woes? First, discard that question. Your route to success: Go back to basics and roll up your sleeves.
You Can’t Protect What You Can’t See
Past midnight, a beat cop comes upon a chief information security officer (CISO) on his hands and knees under a bright street lamp. The CISO is searching the road for dropped keys. After 30 fruitless minutes of assisting with the search, the impatient officer asks, “Where did you lose them?”
“Over there,” the CISO says, pointing at a darkened alley, “but the light’s much better here.”
I won’t win any plaudits for this pearl of wisdom: You cannot secure that which you cannot see. Nor for this: What you need to secure may not be where you’re looking. Before you nod in obvious agreement, check in with your security operations centers. Do they lack visibility across the IT, network, cloud, and security infrastructure stacks? To paraphrase Donald Rumsfeld, how would they know their unknown unknowns?
“But,” you answer, “I have visibility and monitoring tools… a dozen of them!” Do those tools give you a holistic view of your infrastructure? Have you evaluated both gaps and overlaps or duplicates? Is your infrastructure complete but fragmented?
By the time you piece together that puzzle, has your environment changed? In my experience, dealing with a tangled mess of wires in a data center is more appealing than facing the answer to those questions. I’ve been there.
How do you begin to sort out your data? The most critical step is starting with a thorough risk assessment of your practices by asking the boring but right questions. For starters:
- Where is your data?
- Who and what have access to that data?
- How complete is your inventory?
- How thorough is your configuration management database (CMDB)? How up to date is it?
- Are you seeing what is necessary or simply what is convenient?
Also, determine what success looks like for your agency. Is it enhancing the way you collect and use data to guard against inbound risks? What level of breach or compromise are you comfortable with? This last question is one I find most people hesitant to address but perhaps is the most significant.
This work is tedious. It looks less like vendor dinners or rolling out a new tool and more like listening to your team, comparing notes with other CISOs, and reading, learning, doing. But I promise it will be worth the work, and even more, now is the best time to be conducting this effort. Your success is in the excellent delivery of monotonous tasks.
Artificial Intelligence and Machine Learning Can Help
Once your agency has determined its goals and figured out what you can see and need to protect, it is time to put your talent into action, define your tactics, and finally line up supporting technology.
Remember that CMDB? Now that the grunt work is complete, your confidence in it should be higher than ever and well placed. The law of entropy assures us that the universe tends toward chaos. A massive expenditure of energy is needed to halt and reverse that natural degradation. That brute force and total commitment to the rudiments and fundamentals will buy you breathing room to deploy scripting and automation to hold the new line.
Now you have a path to those shiny artificial intelligence (AI) and machine learning (ML) tools you’ve been eyeing. When they are properly deployed, relying on the solid foundation established by your earlier diligence, you may find those tools will even help alleviate the stress on your overworked security team. A refreshed and re-engaged security team focusing on higher-order questions and problems is a game changer you’ll not soon forget.
But AI and ML are only as good as the data you can provide. That’s why the tedious stuff is imperative — so the fun stuff can be even more fun.
I know there are a lot of people in both the public and private sectors who will read this and say “Obviously.” But I also know there are more who will get nervous thinking about how much mind-numbing work I just prescribed. I would remind both of the truism: Well done is better than well said.
Because again: I’ve been there. In fact, I’m still there, because the nature of security is never-ending and there is always more to be done.
Joel Fulton, Ph.D., is Chief Information Security Officer for Splunk, leading the Splunk Global Security teams, where he also supports product development as well as customer and partner relationships. Prior to joining Splunk, Joel held security leadership positions at … View Full Bio