Insight by Carahsoft

3 ways agencies can buy down cyber risk

Dennis Reilly, the vice president of federal sales for Gigamon, said agencies should focus on people, process and technologies to address cyber challenges.

Buying Down Risk

It's important for the federal government, and we have a responsibility as a federal government, to use every cybersecurity dollar to get the maximum return on buying down that risk.

People and Processes

I think we have to equip our workers with the latest technology.

The concept of cyber risk management has been gaining steam over the last few years. The idea that an organization can secure everything is unrealistic and impossible.

Starting in 2015, the Office of Management and Budget pushed for agencies to identify high value assets and secure them first.

Over the last two years, the Homeland Security Department has been helping agencies get their minds around managing their cyber risk. DHS has conducted a total of 100 security architecture reviews, and risk and vulnerability assessments. DHS also is planning another 60 reviews for 2018.

Agencies also submitted risk management reports to OMB earlier this year as part of meeting the requirements of the cyber executive order.

This was really the first time agencies had a consistent review of their cyber risks. It also let them map threats to capability to investment as well as use FISMA metrics to track and assess their own risks.

All of this data lets OMB and DHS compare apples-to-apples across the agencies for the first time.

So how do agencies move forward to do more than understand their risks, but actually buy it down and ensure their employees have the proper skillsets to manage this process?

Dennis Reilly, the vice president of federal sales for Gigamon, said agencies need to seek progress in reducing their risk by focusing on three areas:
• People
• Processes
• Technologies

“People are the toughest one. There’s been some surveys  sponsored by NIST that show there are currently 780,000 cybersecurity positions in the U.S. and 350,000 are open today. Worldwide it’s expected to grow to about 3.5 million positions [according to Cybersecurity Ventures] and about half a million in the U.S.,” Reilly said on the Innovation in Government Report. “No matter what we do as a government, I think it will be very difficult to close that gap. We need great people. We need to train and retain them, but the gap will never close. So we will have to look at processes and technologies to be a game changer.”

Reilly said that game changer will be technology both in terms of automating processes and analyzing threat data.

“The challenge for the government and for industry is to find those handfuls of technologies that are real force multipliers so they can make a big impact on the cyber fight, and make it more of an equal fight. Right now it’s more asymmetric to the advantage of the attacker against the defender,” he said.

“So finding those and implementing those technologies quickly you can get that force multiplier effect and get the maximum return on those investments.”

The idea behind force multipliers is the goal of gaining more productivity from existing cyber sensors and tools.

Reilly said, for example, an anti-malware tool could be fine-tuned to analyze only email, instead of email, voice and video traffic, which will help make sure the tool doesn’t slow down network traffic.
“If you do that over 10 or 12 tools and get 15 percent more productivity out of each of those tools, you will really see big benefits,” he said.

Reilly said as agencies move to the cloud, it becomes even more important to fine-tune those cyber tools. CIOs and chief information security officers still are trying to grasp who is ultimately responsible for protecting the data, and if so, what is the best approach.

“I see more and more agencies thinking about security from the inside out. Know what I have in my environment, know where my data is, know what’s happening on my network and then secure it. The underlying premise there is you need to be able to see it to secure it. You have to have visibility, data at-rest, encrypted and know who is on your network,” he said. “The tougher problem that agencies are finding is data in motion that traverses the network. The reason why that’s becoming a tough problem is it used to be you just had the physical infrastructure. But now you have virtual environment, the software-defined environment and with the current administration, a move to the cloud.”

Reilly said as agencies continue the push toward IT modernization, understanding which systems present the biggest risks to their mission is paramount to mitigating and protecting against threats.

 

About Gigamon

Gigamon provides intelligent traffic visibility solutions for enterprises, data centers, and service providers. We empower unmatched visibility into traffic, traversing both physical and virtual networks without affecting performance or stability of the production environment. Our portfolio of availability and density products delivers network traffic to security, monitoring, or management systems.