Culture Drives Cybersecurity for DHS, DOD
Concepts and mandates such as cyber incident reporting, DevSecOps and zero trust only go so far.

Improving federal cybersecurity requires a radical mindset shift and a proactive approach to risk management, federal cyber leaders said this week.
Concepts and imperatives such as cyber incident reporting, DevSecOps and zero trust frame the recommended approach, but good cybersecurity ultimately comes down to culture, Army Software Factory Chief Product and Innovation Officer Hannah Hunt said at an ATARC webinar on Authority to Operate (ATO) modernization and DevSecOps Thursday.
โYou can have a three-year ATO, and for a lot of organizations that means I wonโt look at my security environment for another three years,โ Hunt said. โTalent management is a big piece to that. The focus on compliance over security is another big pain point that the Department [of Defense] faces. That all comes back to the talent management at the end of the day and not having that skill and knowledge to make those nuanced and risk-based decisions.โ
The security of a product, such as a cloud application, must be evaluated from a holistic perspective, Hunt added.
โSome authorizing officials are better than others in that regard and really do want to provide that holistic risk picture as opposed to, โOK, I did my job Iโll see you in two years,โโ she said. โItโs partly holding authorizing officials accountable to their mandate. It becomes a cultural thing. If we as a department want to champion the ATO as part of a risk management framework, that starts at the authorizing official level.โ
In response to the rise in cybercrime, the White Houseโs Executive Order on Improving the Nationโs Cybersecurity mandates federal agencies adopt a zero trust approach to cybersecurity, and the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) requires owners and operators of critical infrastructure to report cyber incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours.
Iranga Kahangama, assistant secretary for Cyber, Infrastructure, Risk and Resilience Policy at the Department of Homeland Securityโs Office of Strategy, Policy and Plans, said all organizations are susceptible to the โlowest common denominatorโ of cybersecurity, even something as simple as a cloud login.
โNo matter how big an organization you are, the smallest vulnerability can be quite damaging,โ he said at a House Homeland Security Committee hearing Tuesday.
โBig commercial software have massive vulnerabilities on them,โ Hunt added. โAnytime we bring in commercial-off-the-shelf software, thereโs a requirement to review the source code or security posture of the software before itโs brought into the environment.โ
CISA Deputy Executive Assistant Director Matt Hartman said every organization should implement multi-factor authentication and a cyber incident response plan, establish encrypted data backups, test them to avoid paying ransoms for stolen data and report cyber incidents to CISA as soon as possible.
Each prong of Hartmanโs recommended cyber strategy requires a cultural approach.
โIt is absolutely paramount that cybersecurity start at the top of an organization, at the board level,โ he said at the hearing Tuesday. โOrganizations that are working to develop incident response plans on the fly are generally not successful.โ
According to Varonis, a data security platform service, 66% of companies say compliance mandates are driving cyber spending, but more than 77% of organizations do not have a cyber incident response plan in place.
But leaning on compliance wonโt produce an effective cybersecurity strategy, Hunt said, and buying software products to implement zero trust wonโt necessarily move the needle on an organizationโs cyber posture. Upskilling workers and changing mindsets is key.
โFrom a talent management perspective, thereโs not a significant amount of knowledge around cloud and platform engineering. โฆ That increases the level of risk-aversion to operate in those environments,โ she said. โSomething I see oftentimes is an overemphasis on compliance rather than security, as in paperwork and making sure whatโs being delivered checks all the various boxes rather than [developing] a truly secure platform. Making something complaint doesnโt necessarily make it secure.โ
This is a carousel with manually rotating slides. Use Next and Previous buttons to navigate or jump to a slide with the slide dots
-
Trump Orders Spark Government-Wide Acquisition Overhaul
As Trump pushes for a faster, simpler procurement system, agencies are leveraging AI and adapting strategies to meet new requirements.
5m read -
Inside Oak Ridge National Labโs Pioneer Approach to AI
Energy Departmentโs Oak Ridge National Lab transforms AI vulnerabilities into strategic opportunities for national defense.
22m listen -
New Army Acquisition Plan Cites Autonomy, Predictive Analytics
Officials outline how the Army Transformation Initiative signals a broader shift toward efficiency with tech and acquisition reform.
4m read -
Software Factories Accelerate Federal Modernization Outcomes
IT leaders from Nutanix and SAIC explain how software factories streamline tech development, modernize legacy systems and accelerate adoption of emerging technologies like AI.
34m watch -
AWS Summit: Innovation Accelerates IT Delivery at DOD
Marine Corps Community Services is tackling outdated IT processes with agile development and cutting-edge cloud security to deliver mission-critical capabilities faster.
12m watch -
AWS Summit: NIST Secures High-Performance Computing Against Evolving Threats
NISTโs Yang Guo reveals the broad attack surface of high-performance computing and explains developing guidance and future-proofing security strategies.
9m watch -
Trump Overhauls Federal Cybersecurity with New Executive Order
The new directive aims to strengthen digital defenses while rolling back "burdensome" software requirements and refocusing AI security.
3m read -
AWS Summit: Forging Successful Cloud Modernization Partnerships
Industry leaders share insights on the critical role industry partnerships have in enabling government agencies to navigate procurement challenges for cloud and zero trust solutions.
24m watch Partner Content -
CISA's CVE Program and Why it Matters for Zero Trust
The vulnerability program provides the cybersecurity community visibility into software as part of a key pillar of CISA's zero trust model.
5m read -
Air Force, Coast Guard Talk Data Security Efforts for AI Development
The services' AI initiatives include efforts like creating clean training data, countering data poisoning and bridging siloed teams.
4m read -
DHS Secretary Urges Congress to Reauthorize CISA 2015
Federal leaders highlight CISA 2015's role in strengthening public-private partnerships and defending against evolving cyber threats.
3m read -
Rep. Gerry Connolly Leaves Lasting Mark on Federal Tech
Connolly's leadership in Congress significantly advanced government IT, emphasizing accountability, efficiency and a robust cybersecurity posture.
4m read