I recently moderated two fantastic panels at the Billington Cybersecurity Continuous Diagnostics and Mitigation (CDM) Forum at the National Press Club. It was a unique opportunity for Federal and industry cyber leaders to come together to discuss securing our government’s IT networks from the cyber threat landscape.
There was a lot of learning that took place during the forum, but for me three critical points really stood out:
- A successful Cybersecurity program has to be operationally-relevant to an agency, and the CDM program is driving visible success in that area.
- Federal CISOs are finding their jobs evolve: they are being asked to look beyond compliance to providing cyber-related insights to executives for mission planning.
- State and local governments will find their innovative Cybersecurity efforts can be augmented through the CDM journey.
An Operationally-relevant Cybersecurity program
Cybersecurity isn’t a threat that can be solved by a program or tool, but it is an ongoing process to be managed. That’s the core of why the CDM program can be effective: it establishes a framework and process to manage the threats that degrade, disrupt, and destroy government service. As DHS’ John Streufert pointed out that:
- 75% of attacks use known vulnerabilities
- 90% of successful attacks require only the most basic techniques
- 96% of successful breaches can be avoided by simple or intermediate controls.
Therefore, a well-executed CDM program can substantially reduce risk to an agency. At the forum, we discussed some of the tactical best practices to reap the benefits of CDM. Implementation was a key area. As agencies implement the program, they should regularly measure the effectiveness of that program to those critical objectives. Agencies need to identify and define the successful characteristics for a successful Cybersecurity program.
Obviously, a CDM implementation is not a silver bullet or a time defined process – rather I describe it as a purposeful journey to secure mission-critical infrastructure in the face of the cyber threats civilian government faces.
The Cyber Landscape Brings New Roles and Job Descriptions to Federal CISOs.
As much as the tools of Cybersecurity are important – the human aspect, particularly as it relates to the role of the CISO that is critical to an agency’s cyber efforts. Establishing a robust Cybersecurity program goes beyond obtaining and using the related CDM technology tools. Successful implementations require new processes and new roles for Information Security resources.
It was very informative to hear Melinda Rogers, Rod Turk, Joe Albaugh, the CISOs for the Departments of Justice, Commerce and Transportation, and Jonathan Trull, the CISO for the State of Colorado discuss how adopting new human capital models has been a critical component of their effort.
They all stressed that Cyber events don’t only raise security considerations – they drive mission impact plans. They have all shown, through their distinguished and successful tenures, that CISOs need to change the level of engagement they have with their agency’s leadership.
Their experiences show a new imperative for CISOs: elevating their role beyond technical conversations on compliance, to active efforts to protect systems. An agency’s Cybersecurity team needs to provide actionable information to agency executives, not checklists, or outputs of scans and other data. CISOs are increasingly being asked to develop ideas, plans, and frameworks that translate their agency executive’s goals into Cybersecurity practices.
CDM for State and Local Governments.
DHS’ CDM program will also help State and local jurisdictions enhance their cyber defenses by facilitating effective and operationally relevant Cybersecurity deployments. DHS is exploring methods to bring an affordable security program at the state and local government level such as an e-commerce portal for a cyber-marketplace. DHS’ efforts support existing cyber best-practices state government are deploying, such as partnerships with the private sector, engaging with the expertise of the National Guard, and developing regional security-hubs to serve distributed jurisdictions.
In short – the Billington Cybersecurity CDM forum articulated the benefits and goals participating agencies can expect from a CDM implementation as well as tactical insight into the procurement process. For example, GSA’s Jim Piché gave actionable insights into the ordering process and GSA’s CDM Ordering Guide. Importantly, it was a very interactive forum, and that helped Federal IT leaders get a good feel for the roles, responsibilities, and operational strategy that accompany the CDM process.