Cyber Leaders Call for ‘Data Dominance’ to Drive Compliance

A “data dominance” mindset can help agencies quickly and efficiently meet federal cyber compliance requirements, according to federal leaders speaking on a panel at the CyberScape Summit in Bethesda, Maryland, Thursday.

Panelists noted the concept as one where having strong data governance can create immense cybersecurity advantages in pursuit of complying with 2021 memos on improving government’s investigative and remediation capabilities related to cybersecurity incidents and on zero trust.

A 2023 Government Accountability Office (GAO) report noted only three of the 23 agencies had reached the necessary logging requirements outlined in the memo. GAO also cited key challenges hindering agencies’ abilities to fully comply with M-21-31: lack of staff, event logging technical challenges and limitations on information sharing.

Staying to the Left of Threats

Jeff Hyacinthe, associate chief data officer under the Assistant Secretary for Policy, Management and Budget in the Office of the Secretary at the Interior Department, said that a data dominance approach means organizations should analyze data through a proactive lens.

“I want to put the emphasis on the proactiveness as opposed to the reactiveness that historically in a cybersecurity context has been viewed as kind of like policy compliance,” said Hyacinthe. “[Proactiveness] is really getting at the heart at driving it into security operations and those workflows.”

Foxhole Technology President Gus Tomé said that data is a tangible asset, and protecting it requires evolving tactics. Organizations must assess investments and tools routinely to ensure effectiveness. If organizations can’t measure how effective data tools and strategies are, Tomé said data policies remain obsolete.

“If you try to apply a framework to a living organism called cybersecurity that’s constantly morphing and constantly changing, your policy is never going to be effectively applied,” said Tomé.

Hyacinthe is working across his agency with employees who may view certain technologies and capabilities as singular tools specific to their environment to determine if the tools could scale to help other employees perform their tasks more quickly.

He added, “I’m always a strong proponent for assessing your tools and seeing where you need to make reinvestments or where you can reuse things across parts of an organization.”

Increasing Communication and Collaboration

Darren Death, who serves as CISO, chief privacy officer and deputy CAIO of the Export-Import Bank of the United States (EXIM), said focusing on the administrative details can help eliminate cybersecurity risks. Death added that IT officials should prioritize soft skills — like communication and understanding the enterprise — to improve security decisions.

“If you aren’t actually communicating and understanding what the business unit is doing, what the HR is doing, if you have things classified, you’re probably going to make security decisions that are going to cause issues,” said Death. “You’re going [to see] that lack of trust [with employees].”

Justin Ubert, division chief for cybersecurity and operations at the Federal Transit Administration, said his office is partnering with the agency’s CDO to increase data literacy. Ubert said he’s not trying to reinvent the wheel as he asks for help and expertise from his agency counterparts.

“Figure out who you can partner with and break down those silos,” said Ubert. “That’s the way we’re going to tackle this. It’s going to be a whole of effort across multiple areas to get better efficiency.”