Published on June 1st, 2022 📆 | 4977 Views ⚑
0Government Leaders Take Closer Look at Workforce Component of Cybersecurity Implementation
The U.S. government is locking down its focus on cybersecurity and looking toward data and zero trust as key tools in the effort. In January, the Office of Management and Budget released a federal strategy that guides the governmentâs widespread adoption of zero trust approaches. The Intelligence Community is also drafting a new data strategy for the first time since 2017.
Now, federal leaders are working through workforce and cultural challenges as they implement cybersecurity best practices within their organizations.
James Wolff, chief information officer for the Department of Energyâs National Nuclear Security Administration, said the main hurdle he encounters â aside from the sheer size of the DOEâs âvastâ operational environment â is being able to educate employees on cybersecurity.
Though Wolff primarily classifies cybersecurity gaps as a data science problem, he said, âin the end, in any of these circumstances, it is still a person acting on a machine.â
âSo somehow we have to understand the behavior of a person,â Wolff said during the Potomac Officers Clubâs Reframing Cyber Posture Around Data Collection, Analysis and Action Forum. âWe must also coach and develop that person, the customer of our systems on what are good practices and not good practices, so that they operate more effectively with their systems and at a reduced risk.â
A concentrated focus on workforce development is critical not only because more educated users can lead to better operational outcomes, but also because users who donât have a solid understanding of cybersecurity are finding ways to circumvent the measures put in place.
Often, there is a disconnect between the cybersecurity teams and the end users that are expected to adhere to security measures, according to Gerald Caron, CIO and assistant inspector general of information technology for the Office of the Inspector General within the Department of Health and Human Services.
As employees get more and more familiar with telework and remote work, Caron is bringing these users into the cybersecurity development process and viewing them as an essential part of the team.
Caron is now asking users, âWhatâs working for them? Whatâs good? Whatâs not working? What would they like to do better? What data do they need access to? When do they need access to that data? How do they want to be able to access that data?â
âThat way weâre building it into our security as part of the requirements, rather than just doing security,â he explained. Caron said that after users have given their input and better understand the need, heâs found that cybersecurity measures are more adoptable and widely accepted by the users affected.
But Wolff warned that this effort must not come at the expense of a constant focus on strengthening cybersecurity capabilities.Â
âWe have to do what we can to develop the entire workforce around cybersecurity, but then we have to be really building our capabilities to understand data at a much deeper and stronger level so that we can find those anomalies around behavior or anomalies in the data traffic that we see,â he explained.
Other issues federal executives encounter include security measures that are put in difficult locations, or ones that may just not be compatible with a certain system.
Specifically, Mike Toecker, cybersecurity program manager for the DOEâs Cybersecurity, Energy Security and Emergency Response office, said security tools like Multi-Factor Authentication canât always be implemented for every system.
âThere are many systems within an OT environment that really just canât take an MFA piece,â he revealed. âSo a lot of this comes down to, âOkay, what risks, what threats are we attempting to counter here with this MFA control?ââ
Toecker said in order to build a risk-informed, threat-informed cybersecurity strategy, organizations should look at where their OT systems are right now and where leaders want their security posture to be in five years, and then strategically place controls in a way that makes sense and is cost-effective.
âWhen it comes down to it, you also want to avoid trying to put too many controls in places where theyâve never been before,â he advised.
To learn more about cybersecurity, and how data affects it, join our sister platform, GovCon Wire Events, for its Second Annual Data Innovation Forum on June 9.
Marie Falkowski, director of artificial intelligence and data analytics within the Digital Innovation Directorate of the CIA, will serve as keynote speaker. Register here.
Video of the Day
Gloss