Enabling business through cybersecurity

Gone are the days when organizations could isolate cybersecurity issues to the IT department. With number and seriousness of breaches impacting so many organizations, cybersecurity should be seen as a business enabler. According to the 19th annual Global State of Information Security Survey (GSISS), produced by PwC, “most organizations no longer view cybersecurity as a barrier to change or as an IT cost”. Forward-thinking organizations view investments in cybersecurity as the enabler of innovation, growth, and competitive advantage.

On this episode of CyberChat, host Sean Kelley, former Environmental Protection Agency chief information security officer and former Veterans Affairs Department deputy chief information officer, discussed the enabling of the mission through cybersecurity with guests:

  • Rosetta Lu, presidential executive fellow and senior adviser, VA
  • Chad Sheridan, CIO, Risk Management Agency, Agriculture Department
  • Mittal Desai, CISO, Federal Energy Regulatory Commission

In most organizations, senior executives are all too aware their organizations are targets of cyber adversaries. Sheridan said CISOs and CIOs should get away from the department of “no.” To achieve this, “IT needs to learn how to speak their language instead of trying to make the executives in your agency speak your language,” Sheridan said.

Advertisement

FERC’s Desai agreed. “The days of ‘CIS-No’ are completely gone and they take steps to ensure IT understands the lines of business and business processes to further agency mission support,” Desai said.

Lu at VA takes a different approach by developing End User Journey Maps. “Journey maps are not for business owners, but also for employees as well and is a way to fully understand the process and critical points along the life cycle that end users go through to get things done,” Lu said.

Legacy systems are another challenge government executives face when it comes to delivery of services. Similar to many federal agencies, FERC, VA, and USDA struggle with systems that were built decades ago, but are a part of the critical infrastructure. “If we don’t remove this loadstone of legacy systems from around our neck, we’re never going be more secure; we’re never going to be customer focused. The time is now,” Sheridan said.

So how do they move forward? “As a small agency with limited funding and resources, I can’t see everything on the 24 by 7 shop. Now, if I could outsource that to a company that could do some of that work for me while I know that they’re meeting compliance for requirements from a FedRAMP perspective, I have comfort around that,” Desai said.

Lu looks to cloud for answers. “Cloud platform gives us an advantage into moving into a new area , a new space. We have so many legacy systems out there that have been customized which creates some challenges in getting things done. We need to work with the business to look more strategically, so when we have business requirements and we have an opportunity to now to go on a cloud platform, where we don’t need to customize,” she said.

From a workforce perspective, it is critical to focus on other skills besides just technical or IT. In the technical community, there has been a growing appreciation for project management methodologies.

“Cyber professionals are very technical; you got the engineers, personalities very focused on ‘butts in seats’ model and they’re always focused on managing events. Communication is going be paramount. Some of the soft skills if you will; writing, communicating to different audiences, being able to articulate impacts of risk is critical going forward,” Desai said.

Top 6 takeaways

1. CISOs have to pivot from “no” to “yes, and”.
2. Journey maps are a valuable in showing critical points along a life cycle.
3. Legacy systems hinder more secure and customer-focused delivery of services.
4. Some integrators of cloud-based security have environments with stronger security controls than the federal government. The cloud platform provides an opportunity move into a new area.
5. The executive order sheds light on “modernization of IT systems”.
6. Cyber professionals need to be focused on the MBA or business mindset and be able to implement these services and change.