Last Friday, as many of us had our minds on Halloween plans, Tony Scott released the Cyber Security Strategy and Implementation Plan for federal cybersecurity. Scott, former VMWare exec and sitting federal CIO, released his recommended priorities for federal agencies following the “Sprint” assessment conducted over the summer.
One has to think the Federal government, all the collective agencies overseeing critical functions of the United States, may know some things that we are not privy to. After suffering a major data breach within their own ranks, we know they also know a thing or two about risk as well. So when the guy in charge of setting cyber priorities for the country releases his short list, it certainly will contain some good indicators of where we should be focused in our organizations as well.
Identification and Protection of High Value Assets and Data
A critical issue we run into with many clients is the difficulty of identifying exactly where and how their critical data could potentially be accessed. You may think you know but can you be certain? If you have not had a thorough risk assessment by an objective outside partner in the last year or so (or since any significant updates or changes to your network), you may not be aware of all of your risk factors or potential access points. Any comprehensive cyber security plan must start here.
Detection and Quick Response to Security Incidents
As Federal employees have learned, it may not be “if” but “when” your organization experiences an incident or data breach. An “incident” can be any anomaly in the network that may or may not have been initiated by an attack. It is simply a potential breach. How quickly and how well you respond may be the difference between an incident and a breach – or between a recoverable devastating breach. If your organization does not have a clearly outlined plan that has been practices by your team and can be enacted at a moment’s notice, your risk is compounded. Should an incident arise, the consequences of being unprepared would be compounded as well.
Recovery and Remediation Following a Breach (Lessons Learned)
The third priority outlined in the strategy involves what happens following a security incident or data breach. Following the “Sprint” assessment and breach of millions of federal employees’ data, Scott’s team took the last few months to assess the lessons to be learned and to outline the steps necessary to prevent future incidents. As the agencies directly responsible for enforcing federal regulations such as HITECH/HIPAA and PCI, the federal government has an obligation to meet the same standards imposed on the rest of us. As the federal government works to remedy the lapses in security and procedures that led to the recent breach and remediate the problems, your organization needs to pay close attention to lessons learned following a breach as well. The wise IT team will also pay attention to lessons learned following other highly publicized breaches such as that suffered by federal employees.
Recruitment and Retention of Qualified Cybersecurity Staff
October was Cyber Security Awareness Month and featured one week dedicated to the shortage of qualified IT security personnel to meet the demands of business and government agencies. The federal government has made a concerted effort to beef up it’s security personnel but, despite significant budgetary considerations, agencies still struggle to fill newly created positions critical to security. Awareness and industry discussion fostered by Cyber Security Awareness efforts will eventually lead to an influx security professionals to meet the demand. But this influx will not be created overnight and the benefits of experience will take even longer. For now, managed security may be the best option for overcoming staffing obstacles.
Efficient and Effective Adoption of New Technologies
Scott noted in his post last week that “we must acknowledge the modern reality that the work of addressing cyber risks is never finished and is ever changing.”
Federal agencies must focus on priorities similar to those facing your organization: identifying the valuable data that may be at risk, planning a quick response should you encounter an incident, remediation for compliance and/or following a breach, and meeting the current staffing challenges in IT security. As you work hard to lay a solid security foundation, you know that risks and technologies continue to evolve. What is secure today may be at risk tomorrow. New technologies are evolving along with the risks but adopting new tools and technologies can be challenging, An objective, third party partner can be better able to recognize inevitable difficulties as your organization and processes must adjust and evolve with the tools for security in the future.
The list of priorities presented by Mr. Scott provides a perfect outline for virtually any business or organization. As your team works to maintain security and compliance, the plan outlined here by the collaboration of federal agencies can serve as a roadmap for your company as well.