Cybersecurity may be the top issue keeping federal CIOs, CISOs and other IT officials up at night — but it doesn’t exist in a vacuum alone.
In addition to strong cybersecurity risk awareness and mitigation policies, as well as state-of-the-art threat detection software, agencies must also equip themselves with top talent, modern systems, efficient procurement practices and more to prevent themselves from malicious intruders.
This month, FedScoop and CyberScoop gathered two dozen leading federal CIOs, CISOs and IT officials from the public and private sectors at its headquarters in the heart of Washington, D.C., for a candid discussion about federal cybersecurity, particularly in a time when threats continue to grow in scale, frequency and novelty. While the discussion centered around the cybersecurity, it became apparent just how important other areas like IT modernization, workforce recruitment and acquisition are to safeguarding systems.
To inspire an open and honest talk, the meeting was not-for-attribution, but FedScoop did take account of five broader challenges and action items facing agencies.
Here’s what they were:
Talent, talent, talent
Without hesitation, the IT executives pointed to a talent shortage as the biggest challenge looming over the security of their enterprises.
They echoed the typical refrain in the federal government of “We can’t compete with what other people can pay outside government.” But some even pointed out the inequality across the federal government, which makes it even harder for smaller agencies.
“Inequality across the federal workforce means I’m at an immediate competitive disadvantage compared to other agencies,” one executive explained.
“There’s power in short-term exchange programs,” one CIO said, touting the idea of a Cyber National Guard that’s been tossed around by officials like Rep. Will Hurd, R-Texas, but never executed.
Many federal workers cite their sense of civic duty as why they chose their line of work. Attendees acknowledged the importance of that fact.
“We have to think about it not just in terms of pay, but how are we marketing the benefits of working in the federal government. We have to find a way to appeal to them,” one executive said.
For instance, the federal government can offer to pay for an employee’s college degree or pay off school loans.
Others said it’s important to encourage private business to work more closely with the federal government, perhaps lending talent for a year or two. “At the end of the day, if we don’t work together, we could become the United States of something else,” said an IT executive.
Resist the shiny objects
Too often, agencies buy “shiny new tools” that are duplicative or unnecessary, those gathered explained.
“They come in with the shiny cool stuff, they come in pretending to have these things, but we are just not able to do that stuff,” one official said of working with vendors.
“It’s not because industry is bad, it’s because industry has a different set of goals: the dollar and the bottom line, and they’re driven by shareholders,” another said. “We inside of government have to get a little bit better.”
An industry executive agreed: “We’ve seen so much waste.” But, he asked, “What is government doing internally to learn, get smarter and be better about buying?”
“Nine times out of 10, there’s a real business problem or mission problem that’s trying to be solved, and they buy it for that specific problem, and then they don’t follow through enforcing its use,” one person said. “People are creatures of habit, and if management doesn’t follow through and change those habits, then you’re never going to get value out of that shiny object.”
Indeed, the group honed in on the need for better accountability: “OK, you have the latitude to buy the shiny object, but you have to achieve these goals, show results.”
Agility in cybersecurity
Despite a larger movement toward agility in the procurement of IT in the federal government, there’s a lack of tolerance for the same when buying and building cybersecurity tools, officials said.
“Cybersecurity is massively risk-averse … agility and the idea of the minimum viable product has not been adapted for cybersecurity because if we screw up, we’re screwed,” an executive said.
The acquisition process, when it comes to cybersecurity, is inflexible and ultimately an impediment, they said.
“We need to find a way to adapt that so that we are strategically looking forward, we’re getting the new technology, we’re not stuck in the acquisition process. We need to find a security version of failing forward.”
One attendee said “It’s the small wins, the low-hanging fruit” that will get the ball heading in the right direction.
Central to cybersecurity is the need to modernize systems. It’s increasingly more difficult to secure ancient, legacy systems.
“It’s about IT and cybersecurity. We keep separating those two worlds — we’ve created stovepipes,” a CIO said.
But that doesn’t make it the answer to every challenge.
“On the other side, you see people who are modernizing for no reason,” one official said.
Modernization is also next to impossible if you don’t know what you have in the first place, the group said.
“We don’t know what’s in our enterprise the way we should, and we’re our own worst enemy,” an executive said.
Many in the room agreed on one point for federal IT in the era of the cloud: In most cases,”we don’t need to own.”
Finally, those gathered unanimously agreed that the FISMA reporting process isn’t good for anyone, saying the numbers are “meaningless” to leadership and a major waste of time for the CIO’s office.
“Can anyone say the quarterly FISMA report has made their enterprise safer?” one official said.
The issue, they agreed, is a lack of communication, both around IT needs and the risks they face.
“We have to start communicating as IT professionals better. It’s not an IT thing — it’s a business risk,” one person said.
Another added: “Congress is in a world of their own. OMB is the bane of everyone’s existence with their data calls. Then we have DHS and GSA with the CDM program, and then you have FITARA and this and that. When can we actually get some work done. If we actually communicated with each other before we passed some of these rules and legislation, our lives might be a little easier.”
Congress, it seemed for many, is the root of the problem. There’s a widespread lack of understanding on the Hill when it comes to IT, the group said.
“Senators don’t understand the problem at all,” an IT official said. “They don’t understand computers.”
And that often leads to unfunded mandates, which can leave smaller agencies dead in the water during strategic governmentwide improvements, like the continuous diagnostics and mitigation program.
“How many people’s budgets got increased to accommodate EINSTEIN? How many for CDM?” one CISO said. “We’re constantly being told we need to do this, we need to do this, we need to do this … but there’s no enterprise view of it.”