In my line of work, people often ask why anyone would want their information. The threat environment has shifted from, “Look what I can do! Isn’t this fun?” hacks, to deliberate, concerted, concentrated efforts on a particular target to get financial information. It is a phenomenal shift and it requires a different way of thinking. However, some managers still operate with an old mindset and are unprepared for the new threat. In the federal space, senior officials with clearance can be educated on the current threat. In private industry, corporate officers are limited in their ability to receive threat briefings.
IT infrastructure is faster, more complex and more interconnected, and with cloud and managed services, the architecture has changed. We have gone from having a data center that can be hardened to cloud computing that turns that model on its head. The core is now your infrastructure and network and you are plugging in at cloud data centers. Now you have to be master of security and risk management, as well as master of change management because your environment is changing and evolving rapidly. The challenge in implementing stronger security in the future is the necessity to build a strong core infrastructure, strong governance and strong risk management in the organization. The skill sets and technology we are looking at are changing because of it. The only constant is the change and evolution of our business model.
A recent step in the right direction was the focus on threat sharing in federal legislation. On the threat-sharing side, legislators are considering allowing people in business to get threat information. Early efforts such as the US Federal Bureau of Investigation’s (FBI) InfraGard program need to be expanded by the Department of Homeland Security (DHS). Should the Sarbanes-Oxley model be used to improve cybersecurity? After all, it forced authorizing officials in the financial sector to attest to the accuracy of the financial statement with criminal penalties for non-compliance.
I just reviewed the new US Federal Information Security Management Act (FISMA) guidance and was pleased that certification and accreditation remains, rather than scanning and patching your systems and hoping for the best. The US congress understood the importance of the risk management framework developed by the National Institute of Standards and Technology (NIST) and that ongoing diagnostics and mitigation are a subset of continuous monitoring.
Congress might consider reviewing the state of Texas’s privacy breach laws centered on health care information. Texas provides safe harbor if there is a breach of a health care organization that is certified in the High Trust framework. I think US legislators should consider rewarding those who implement good security practices like ISO 27000 or COBIT, rather than penalizing them when a breach occurs.
US Federal Programs that Work
FEDRAMP has done a great job of putting forward minimum baseline requirements that the industry recognizes from doing business with the government and creating large savings for agencies. The benefits are carried over to companies and the consumer in that what is done to meet government standards is eventually adopted by private industry. This is government buying power that positively influences consumer products like cell phones that now support full device encryption for free. I think the US government will set the bar for acceptable general security.
A trend I currently see is organizations positioning the CISO over the CIO. The CISO already knows infrastructure and the business and has a privacy and risk management mindset. The CIO will do what they have always done—be the operations manager, build the infrastructure and manage cloud providers. We need risk management at the top. If you look at NIST SP 800-39, it emphasizes risk governance and if you do not have that from the top down, it is going to come back to bite you.
For my security positions, I am hiring MBAs with a strong emphasis on credentials in information security and assurance. I am looking for people who are flexible, have critical thinking skills and have the social and diplomatic skills needed to be able to converse with executives and make a clear case on why security controls are needed. I am an MBA and differentiated myself by getting credentials from CompTIA, (ISC)2 and ISACA.
Steve Hernandez, CISA, CISSP, CNSS
CISO, Office of Inspector General at the U.S. Department of Health and Human Services