Kurt Steege, chief technology officer at ThunderCat and Peter Romness, cybersecurity principal at Cisco, together bring decades of experience advising IT leaders in the U.S. government.
The pandemic proved to agency leaders that they can offer a more flexible work arrangement for government workers. But securing a remote and hybrid work environment for today — and tomorrow — requires greater attention to a holistic security strategy.
Flexibility built into both policies and the underlying IT infrastructure is one way that CIOs and CISOs can accommodate a new way of working. And what agency leaders should aim for is a near seamless and equitable work experience — whether from home or from the office.
The good news is that thanks to the investments many agencies made to use cloud infrastructure, IT leaders are now in a position to take advantage of more effective cloud security capabilities around data. That includes identity and access controls that can reduce agencies’ overall security risks in the years ahead.
Smart cloud decisions yesterday make today’s response possible
The immediate need during the pandemic was to adjust IT systems so that employees could work productively at home. Secondary to that, agency IT departments needed to make certain those systems were secure. Unfortunately, the traditional “checkbox approach” to securing systems is no longer enough to lessen the level of cyber risk agencies face today.
To build a holistic security strategy will take both time and money — for which there are many limitations for agencies.
The bright side is that we have seen how the Cloud First and Cloud Smart policies set by the last two administrations have paid off in big ways. In fact, the most notable successes to facilitating mission during the pandemic are coming from those organizations which have been leveraging their cloud investments.
The biggest change making a difference in security — more than any other security practice — is when organizations use cloud tools to implement dynamic and persona-based policies that control access to agency resources. It not only improves security. It also improves the user experience, by allowing people to view content in a way that helps them in their job — regardless of the location — without jumping through a variety of security hoops to make that happen.
To achieve those improvements, though, requires visibility across the network. From a data security standpoint that means understanding where your data is, how it is being used and accessed, how the network behaves and knowing what policies that have been built.
Investing in security for hybrid work environments
The future of work is poised to look very differently across both the government and private sectors now that leaders and employees alike have experienced many of the positive benefits of a flexible work environment.
One of the discussions we have been a part of with some of our customers is a thoughtful transition to a “30-40-30” office-home work model: 30% of an organization’s staff may never return to the office; 40% may go back to the office a few days a week; and the remaining 30% would most likely work full-time at the office.
To secure this new work model, our first recommendation involves matching policies with existing use cases. Even before you look at the security tools you plan to use, weaving together policies regarding identity and data will make the whole system run more smoothly and securely.
Our next recommendation — and often a sticking point when managing data security — is understanding appropriate levels of security classification and sensitivity. For agencies that work in a more classified or sensitive area, it’s easy to just classify everything the same. But it’s also important to look at the long-term needs of users. The good news is, dynamic policies make it easy to adjust the data classification to be more variable, depending on the user and type of data.
That ties into our third recommendation, which is identifying what you have. A lot of organizations don’t know where to start in this endeavor. The don’t know what data they have or where it is; they often don’t even know all the devices that are in their environment or what those devices are doing. Having an accurate inventory really matters.
The value of working with strong partners
While at the surface these recommendations may seem simple, the complexity of agencies’ enterprise network brings a lot of challenges. That is why we promote working with a strong integration partner to get the most from your existing security investments and lessen the burden of acquisitions for new tools.
The partnership between ThunderCat Technology and Cisco offers a great resource for agencies to integrate and automate Cisco’s security tools across agency networks because ThunderCat Technology has built a practice around Cisco’s suite of solutions.
Cisco brings a full range of tools that provide the strongest levels of visibility, flexibility and security. ThunderCat Technology, meanwhile, understands all the components operating across an agency’s systems, and can serve as a knowledgeable advisor for how to best develop a holistic security strategy across multiple vendors partners so everything works together.
Learn more about how ThunderCat Technology and Cisco can help your organization integrate a holistic security strategy.