Hello federal friends, happy last Friday of January. Is the year flying by already for anyone else?
I wanted to talk to you this week about how to position your organization to better prepare yourselves from a cybersecurity standpoint. Who better to help me do this than Jennifer Aniston?
"Yeah. Yeah. We do. Although I didn't actually choose these. I, um, I just sorta grabbed fifteen buttons and just...I don't even know what they say! Y'know, I don't really care. I don't really like talking about my flair."
Ok, you might be thinking, "Well. he finally lost it!" How can Ms. Aniston help with cybersecurity? It's actually not so much her, but this scene from the movie Office Space, where she was chided by her boss for lack of flair. While she hits the bare minimum of what is needed to do the job she is constantly defending herself by saying she's doing just that, hitting the exact number of what is required, and that her boss should get off her back. On the flip side, we see her nemesis Brian and his 37 pieces of flair. Brian never gets grief by the manager and always seems to be smiling rather than having a scowl on his face.
Let's take flair, and replace it with benchmarks. All of you out there have benchmarks to hit, dictated from over-arching federal benchmarks down to specific agency/organizational benchmarks. Well what happens when compliance becomes your sole focus? You narrow your vision to a select group of boxes that you need to check and you end up ignoring the steps needed to get ahead and actually become more proactive (as opposed purely reactive). When you are able to step back and look at the landscape from a 50,000 foot view what do you see? Well in Jennifer's case you see the bare minimum, just enough coverage to keep the boss somewhat at bay but never making him comfortable or confident that she's doing enough. Brian, on the other hand, goes above and beyond and isn't worried about the minimum because those boxes are checked already for him. Brian created a program for himself where he is able to add "benchmarks" to his profile that will boost his status both with management but also with his customers as well. They can be confident that Brian is good at what he does and has is on a trajectory for continued growth. Where as management and the customers might view Jennifer as disengaged and just skating by throwing on her benchmarks and clearly not invested in her own or the restaurants success.
C'mon John where are you getting this from? This came to me while reading an article from 2011, this week. That's right I went back to antiquity for direction in the present. Weird, right? I mean history never provides advice for the future, especially since so much has changed in the last few months alone. An article on FireceGovernement from August 2011 focused on the fact that Agencies are obsessed with compliance which ultimately obstructs their vision for creating a cybersecurity program, not simply a compliance program. The first quote in the article state that if you are chasing down compliance only, and that is your main focus then "you are spending too much money already." Focusing on simply checking the box will have you constantly over your shoulder instead of looking for where you are still vulnerable. You'll end up pivoting between the compliance boxes and management, never keeping your eye on the real danger - the attacker.
What Brian was able to do with his 37 pieces of flair was give himself some breathing room in multiple areas, mostly management pressure and his minimum compliance standards. Brian knows each piece of flair, what it is and how it impacts those around him. Jennifer isn't quite sure what she has, but she knows she has something and that something should be good enough. While that may have worked in the beginning, just like solely focusing on security benchmarks, that vision is no longer good enough.
Don't worry, you have help on the way and you really aren't in this alone. Thanks to breaches like Adobe and Target, the calls for change have grown even louder. Being that cybersecurity is constantly evolving the tool sets needed to create that holistic vision should become more attainable to get a hold of for each agency. On Jan. 29th the GSA, in response to a 2013 directive from President Obama, published a report highlighting 6 recommendations to make the procurement of these tools easier. These recommendations, listed below, are aimed to better arm and fortify the nation's cyber defense by giving the agencies a clearer purchasing avenue to navigate. This now falls onto the individual agencies to put these recommendations into practice. Doing so will begin to standardize the procurement process for cyber-tools which will continue to refine the process.
- Institute baseline cybersecurity requirements as a condition of contract award for acquisitions that present cyber risks.
- Include cybersecurity in acquisition trainings, including training for government contractors.
- Develop common cybersecurity definitions for federal acquisitions.
- Institute a federal acquisition cyber risk management strategy.
- Require suppliers or re-sellers to purchase from original equipment manufacturers, their authorized resellers, or other trusted sources.
- Increase government accountability for cyber risk management.
While nothing is ever perfect, except for Brian's flair, this is a giant step in the right direction. These steps will lead to confidence in our nations defenses, from the 3 branches as well as your customers - the citizens of this great nation.