Good cybersecurity requires leadership buy-in and fostering a culture of cybersecurity in your organization, according to federal and industry cyber leaders at last month's CrowdStrike 2021 Cyber Summit.
Federal and industry cyber leaders illustrated diverse ways to foster a strong internal cyber culture during the event. Amanda Crawford, CIO for the state of Texas, said she made compliance excellence one of her key priorities — which includes cybersecurity compliance.
"As the leader of the organization, I articulate [that] out and it's just known across the agency,” Crawford said during a breakout session. “It can be awareness campaigns, emails or just getting to know your friendly neighborhood CISO. You want people to come to you when they have an issue. There's no silver bullet, but the idea is, making [cybersecurity] a team sport. We're all in it together. These things — they can happen, but the key is, what do we do, what's the next right thing?”
Justin DePalmo, CISO for General Dynamics Ordinance and Tactical Systems, said positive reinforcement is key.
“Our job as leaders here is to find that right balance between risk mitigation, acceptance and avoidance,” he said. “It's another motivation to our leaders, they've got a lot more decisions to make. And have a plan to pick ourselves up.”
Cyber leaders at the Department of Homeland Security argued cybersecurity requires constant vigilance, whether you’re at home or in an office.
“Cybersecurity is not done when you go home at the end of the day,” said Ken Kline, director of cyber engineering at the Federal Emergency Management Agency (FEMA). “It's got to be continuous — holidays, weekends, etc. We're engineering, building tools, deploying, and with very high-risk projects there's always things that could go wrong. So how do you approach that so people come to you with problems and not hold one person wholly accountable for [an] outage? Because otherwise how do you get the team to be fully behind you?”
Shane Barney, CISO at Citizenship and Immigration Services, believes federal agencies can strengthen their cyber postures by being smart about cloud migration and development. Too many applications and tools, he said, create more opportunities for cyber criminals and nation-state actors to infiltrate a network.
For starters, federal agencies should limit themselves to one cloud provider, he said.
“A single cloud provider is a challenge by itself, but if you throw more in there it becomes exponentially harder,” he said. “Experts in Amazon are not experts in Google or Azure. A lot of our applications rely on third-party vendors and other SaaS products and integrated levels. Understanding and mitigating those risks, it's a big challenge, it's a lot of effort and a lot of work (with just one cloud provider).”
Barney also thinks federal agencies should work on smashing security silos to improve communication about cyber threats and vulnerabilities.
“One of my key tenets is to end silos in security,” he said. “You'll have branches and divisions that don't really interact with each other and they do very similar work or work that's complementary to each other. Starting to invest in [DevSecOps] teams peppered throughout my organization so that when we find things or come across things, I don't want a manual process. I don't want a spreadsheet or PDF file, I want to automate it and build it into our security platform.”
Cyber and ransomware attacks have dominated news headlines in recent months, but DHS cyber leaders consider this an opportunity rather than a cause for alarm.
“We can't be afraid of saying we're in a heightened risk environment,” said Bob Kolasky, assistant director for the National Risk Management Center at CISA. “My goal is five years from now for us to say, 'Our cyber systems are more secure, we're more resilient in our country, and cyber criminals are not going to do things that impact our national security.'”
Federal agencies can start by implementing zero-trust architectures, sharing information with CISA about cyberattacks and vulnerabilities, and investing in contracts with IT suppliers who prioritize cybersecurity in qualitative ways.
"When you're establishing business relationships with a supplier, make sure you're setting expectations in those contracts so that they have good cybersecurity practices and you can monitor those cybersecurity practices and attest that someone else's cybersecurity risk isn't being passed on to you,” Kolasky said.