At the highest levels of the US government’s executive branch, one will find two vastly different personnel pools. On the one hand are the political appointees in charge of defining a vision for the future, as well as providing the immediate direction staff must follow. On the other hand are the civil servants, immune from political wind shifts, who are left to carry out the orders regardless of which political party is in charge. It’s a problem each presidential administration faces, and one that presents a unique challenge in the quickly evolving world of IT.
“The White House, if you think about it, is like a new start-up company every four or eight years,” says Alissa Johnson, former deputy CIO at the White House. While the political appointees at the top change from year to year or administration to administration, there are still more than 300 IT professionals serving the Executive Office of the President who remain regardless of who is in charge. Johnson, a former political appointee and now CISO for healthcare technology company Stryker, recalled there were some strategic issues that needed addressing when the Obama administration took over in 2009.
“We were met with desktops and floppy drives,” she told the audience at the recent DCD Enterprise event in New York. One of her core responsibilities was information security for the White House, and one of her primary objectives was to build an information security program from several common core concepts that would endure through all of the changes, and into future administrations.
Because most security breaches result from human error, or a lack of proper maintenance, there is no magic potion or must-have technology that leads to successful information security. What’s important, Johnson reminded the audience, is to re-examine the fundamentals and then actively implement them as part of an ongoing program.
Core principles
The overarching key to a sound information security strategy is to secure the data, and not the infrastructure it traverses. “The data surpasses the infrastructure,” Johnson observed.
“I’m not going to tell you anything earth-shattering or new. Learning is all about remembering what you already know and putting it all together in a different way.” Just because she worked at the White House, Johnson mused, it doesn’t mean she has the market cornered on sage-like advice. “Remember, we are still trying to weed out floppy drives,” she said jokingly.
While the following list of principles is not exhaustive, the former White House deputy CIO says anything missing can likely fit into one of these areas:
- Vulnerability and threat management
- Identity and access management
- Incident and crisis management
- Configuration and change management
- Event and data management
- User management
- Risk and compliance – the nucleus of them all
The percentage of websites that contain vulnerabilities is astounding, Johnson observed, and the data backing up these observations should be used to support your argument for more budget dollars. Quantitative measures are – and will always be – necessary to meet this objective.
Identity and access management is an area where Johnson has seen many approaches fail. In her view, there’s no reason why it should take a month, a week, or even a day to de-provision user credentials once a person has left an organization. “We are in the technology era, and there is no reason that when someone leaves that you can’t just disable their account,” she said. “There’s a sense of laziness with this at some point.”
“Cybersecurity becomes the biggest thing, but only when something happens,” Johnson explained, continuing down the list toward incident and crisis management, which she views as the most important point for organizations to address. It’s often the case, in her experience, that money comes pouring into cybersecurity functions only after an incident occurs – along with the accompanying phone calls from management who were previously unconcerned about the vulnerabilities.
Even after having left the White House, Johnson said she received a call from her former employer recently about how to properly respond to an incident. Cybersecurity, she implored, can’t be a one-time response to an incident, but should be “a lifelong opportunity” for further growth and education.
Cybersecurity must be a business enabler in today’s environment, underlining her previous assertion that it’s an opportunity for growth. “If cybersecurity fails, then nothing else goes right,” she contended. Business metrics, sales, and opportunities – “they all go out the window if cybersecurity is not addressed correctly.”
The overall lack of cybersecurity preparedness is a major concern of Johnson’s, especially at the dawn of the Internet of Things era. Right now, as she explained, we live in a world of information silos that have yet to converge into a true IoT: “If we can’t even secure and handle the crises we have now, then what happens when all of our information is already out there and it comes into a converged [state]?” Measuring risk and security, she concluded, not only takes into account what we face now, but how the decisions we make will impact us in the future.
Managing change
The overwhelming majority of security breaches are not the result of sophisticated hackers leveraging zero-day vulnerabilities. Most breaches can be effectively thwarted through properly maintained and configured systems. Johnson cited data which suggests 42 percent of breaches are the result of misconfigured systems.
These misconfigured systems are prevalent in nearly all organizations. “I’ve worked at the NSA, FBI, CIA, DIA, Lockheed-Martin, Northup-Grumman, the White House, and none of them have had good configuration management practices,” Johnson told the audience. At the White House, they needed to hire a change management liaison to coordinate all of the changes occurring on its network.
But managing configuration changes isn’t the only type of change management required of a successful information security program. Transforming how the rest of the business views and interacts with the IT security department will be just as crucial as security moves into the realm of business enabler.
New products, or updates to them, must undergo cybersecurity evaluations – not just to hold up the process. They are necessary so the business can talk to customers and educate them on any potential impact, Johnson said. “Cybersecurity has always been perceived as the scary group – the group of No!,” she lamented. She hopes to move the attitude from culture of “No, but” to a more forward-thinking security culture of “Yes, and.”
This is where security and risk meet. Managing the transition toward a business-enabling security program means people in Johnson’s position will no longer deliver the axe to a project; instead they will lay down the risks to the rest of the business to determine if it wants to accept them, or mitigate them.
Filling potholes
There are many issues to address when formulating a comprehensive information security program. But how can organizations simplify their strategy in responding to them? In Johnson’s view, there are three approaches organizations employ in this area, and most use a combination of them at any given time. They are what she calls ‘Three Stages of Information Security’: Activate (bolt-on security); Adapt (built-in security); and Anticipate (built to go beyond security).
“I think all organizations go through all three of these phases”, she observed. The proactive approach, however, is to anticipate. Things like assuming your systems have been breached, or assessing what effects the latest consumer device will have on your IT infrastructure before it hits the shelves are both examples of proactive security. Only by employing anticipatory security can organizations move from a static defense posture that simply reacts to events, into a dynamic one that prevents incidents or detects them in near real-time.
“It’s like filling potholes,” concluded Johnson. “You will always be filling potholes unless you have a good strategy for change into the future. You will always be reactive and not proactive – and just pothole fillers. I am not a pothole filler.”