The federal government has experienced a dramatic strengthening of its cybersecurity culture in the year since agencies governmentwide were required to take part in a sprint to improve their information security hygiene, a pair of leading cyber officials said.
Prior to U.S. CIO Tony Scott ordering all federal agencies last June to take part in a 30-day cybersecurity sprint to patch vulnerabilities, accelerate the use of multifactor authentication and deploy other security protocols, cybersecurity was a problem often left up to the CISO alone, said Mark Kneidinger, director of the Federal Network Resilience Division within the Department of Homeland Security’s Office of Cybersecurity and Communications.
“But with the cybersecurity sprint activity that occurred last summer, I saw a burgeoning of a change occurring where the CIOs and CISOs were working collectively to deal with the tough problems Tony Scott had laid out,” he said of the initiative, launched after the Office of Personnel Management revealed catastrophic breaches of its personnel and security clearance systems.
And it goes beyond that, Kneidinger said. “We’re all seeing a lot of collaboration going up, with the deputy secretaries taking more of the direct responsibility not only for cybersecurity, but also supporting the CIOs.”
OPM in particular has shown a lot of improvement in spreading the importance of cybersecurity beyond its IT personnel, said Clif Triplett, a senior IT and cyber adviser at OPM.
“We have the discussion of cybersecurity at every level, at every major forum — cybersecurity is now very much a part of our culture,” Triplett said, crediting acting Director Beth Cobert for the change. “As she joined us, it really helped manifest and support that culture.”
While the technology tends to get the bulk of the focus in cybersecurity, both Triplet and Kneidinger, who spoke on a panel Tuesday at Brocade’s 2016 Federal Forum produced by FedScoop, said those investments are worthless if personnel don’t understand the importance of the tools and foundational cyber hygiene.
“Yeah, you buy technology, but it’s really about a culture of cybersecurity, and it’s got to touch everything,” Triplett said. OPM conducts training on the DHS’ Continuous Diagnostics and Mitigation program, two-factor authentication, patching, and other cyber best practices, he said.
“We’ve put a lot of emphasis into training the organization as part of that cultural transformation, and I think it’s having a lot of returns.”
Kneidinger said as DHS plans to introduce phase four of the CDM program, it’s looking beyond securing the endpoints of federal systems, not only to the data outside the network, but also “ensuring that the cybersecurity culture is where it should be within the departments.”
“One thing is putting capabilities in place; the other is ensuring that the human factor is being addressed,” he said.
“Those are complex new capabilities that we’re bringing to the agencies, and it’s more than just, ‘OK we have it, we need to get trained up on it.’ It also has an increasing impact on the mission owners. With that we need to ensure that there’s an awareness that everybody actually owns cybersecurity” to best leverage the investments.
Contact the reporter on this story via email at Billy.Mitchell@FedScoop.com or follow him on Twitter @BillyMitchell89. Subscribe to the Daily Scoop to get all the federal IT news you need in your inbox every morning at fdscp.com/sign-me-on.