Skip to Main Content Subscribe

Culture Drives Cybersecurity for DHS, DOD

Share

Concepts and mandates such as cyber incident reporting, DevSecOps and zero trust only go so far.

5m read
Written by:
image of login and password, cyber security concept.
Photo Credit: Song_about_summer/Shutterstock

Improving federal cybersecurity requires a radical mindset shift and a proactive approach to risk management, federal cyber leaders said this week.

Concepts and imperatives such as cyber incident reportingDevSecOps and zero trust frame the recommended approach, but good cybersecurity ultimately comes down to culture, Army Software Factory Chief Product and Innovation Officer Hannah Hunt said at an ATARC webinar on Authority to Operate (ATO) modernization and DevSecOps Thursday.

โ€œYou can have a three-year ATO, and for a lot of organizations that means I wonโ€™t look at my security environment for another three years,โ€ Hunt said. โ€œTalent management is a big piece to that. The focus on compliance over security is another big pain point that the Department [of Defense] faces. That all comes back to the talent management at the end of the day and not having that skill and knowledge to make those nuanced and risk-based decisions.โ€

The security of a product, such as a cloud application, must be evaluated from a holistic perspective, Hunt added.

โ€œSome authorizing officials are better than others in that regard and really do want to provide that holistic risk picture as opposed to, โ€˜OK, I did my job Iโ€™ll see you in two years,โ€™โ€ she said. โ€œItโ€™s partly holding authorizing officials accountable to their mandate. It becomes a cultural thing. If we as a department want to champion the ATO as part of a risk management framework, that starts at the authorizing official level.โ€

In response to the rise in cybercrime, the White Houseโ€™s Executive Order on Improving the Nationโ€™s Cybersecurity mandates federal agencies adopt a zero trust approach to cybersecurity, and the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) requires owners and operators of critical infrastructure to report cyber incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours.

Iranga Kahangama, assistant secretary for Cyber, Infrastructure, Risk and Resilience Policy at the Department of Homeland Securityโ€™s Office of Strategy, Policy and Plans, said all organizations are susceptible to the โ€œlowest common denominatorโ€ of cybersecurity, even something as simple as a cloud login.

โ€œNo matter how big an organization you are, the smallest vulnerability can be quite damaging,โ€ he said at a House Homeland Security Committee hearing Tuesday.

โ€œBig commercial software have massive vulnerabilities on them,โ€ Hunt added. โ€œAnytime we bring in commercial-off-the-shelf software, thereโ€™s a requirement to review the source code or security posture of the software before itโ€™s brought into the environment.โ€

CISA Deputy Executive Assistant Director Matt Hartman said every organization should implement multi-factor authentication and a cyber incident response plan, establish encrypted data backups, test them to avoid paying ransoms for stolen data and report cyber incidents to CISA as soon as possible.

Each prong of Hartmanโ€™s recommended cyber strategy requires a cultural approach.

โ€œIt is absolutely paramount that cybersecurity start at the top of an organization, at the board level,โ€ he said at the hearing Tuesday. โ€œOrganizations that are working to develop incident response plans on the fly are generally not successful.โ€

According to Varonis, a data security platform service, 66% of companies say compliance mandates are driving cyber spending, but more than 77% of organizations do not have a cyber incident response plan in place.

But leaning on compliance wonโ€™t produce an effective cybersecurity strategy, Hunt said, and buying software products to implement zero trust wonโ€™t necessarily move the needle on an organizationโ€™s cyber posture. Upskilling workers and changing mindsets is key.

โ€œFrom a talent management perspective, thereโ€™s not a significant amount of knowledge around cloud and platform engineering. โ€ฆ That increases the level of risk-aversion to operate in those environments,โ€ she said. โ€œSomething I see oftentimes is an overemphasis on compliance rather than security, as in paperwork and making sure whatโ€™s being delivered checks all the various boxes rather than [developing] a truly secure platform. Making something complaint doesnโ€™t necessarily make it secure.โ€

Woman typing at computer

Stay in the know

Subscribe now to receive our curated newsletters

Subscribe
Related Content
Woman typing at computer

Stay in the Know

Subscribe now to receive our newsletters.

Subscribe