Government and industry must work together to build partnerships that enable trusted information sharing and joint capability development.
tions such as the Defense Advanced Research Projects Agency, the Intelligence Advanced Research Projects Activity and the Homeland Security Advanced Research Projects Agency can work alongside investment strate- gies coming out of the venture capital community and public/private research partnerships such as In-Q-Tel, following the research lead set by industry.
Forum participants also identified other levers for achieving actionable cybersecurity:
• Enable the mission and support mission users
Any cyber strategy must balance mission enablement with protection. Government provides key information and services every day over open networks; actionable cybersecurity approaches should enable mission deliv- ery and not impede operations, lest the latter result in workarounds that further weaken protections.
Different agencies will address the risk balance in different ways. The delivery of social services, for example, will result in a set of actions that allow indi- viduals to learn about, apply for and receive benefits, while the protection of taxpayer information requires strict attention to security and privacy for sensitive personal information. Accordingly, the delivery of practical cyber solutions must account for how an agency’s culture affects its employees, beneficiaries and stakeholders.
Simple cyber solutions can be implemented with greater success than those that rely on complexity. Enterprises need to take human factors and usability into consideration when determining cybersecurity solutions, which can drive basic building blocks that help address the majority of vulnerabilities created by inadequate practice of basic cyber hygiene, such as improper response to phishing email messages. That inadvertent insider threat can emanate from all levels of an organization — entry-level staff, C-suite leaders and everyone in between.
More advanced solutions must be adapted based on employees’ competency to create and maintain techni- cal approaches. Elegant technologies that cannot be implemented well will not be cost-effective.
• Build security into development
Participants agreed that, in general, software developers need training in how to build security into applications and increase their cyber analysis capabilities.
Most development focuses on maximizing usability and ser- vice delivery, with protection bolted on after the fact. Making security central to the application life cycle can significantly reduce basic software vulnerabilities, and development sand- boxes can help developers learn how to bolster protections for the next software release. Conversely, when adopting open-source software, enterprises need to assess vulner- abilities in the supply chain behind that application suite.
Building security at the data level can complement techni- cal approaches at the systems level, especially in protecting personally identifiable information and other sensitive data.
There is a growing movement around the development of resilient solutions that learn about threat and response pat- terns and can address a breach immediately without waiting for human intervention but while providing notices about such actions as a check for system overseers.
• Embrace governance frameworks that encourage collective action
Governance frameworks that promote sound decision-making can significantly enhance an organization’s capacity to provide for cybersecurity. Through leadership and collective action, enterprises can create communities of practice that connect experts with mentees.
Participants also stressed the need to “celebrate the secu- rity hero.” Just as law enforcement officers receive commen- dations for outstanding performance in combating crime in the streets, cyber professionals should be recognized for exemplary performance in combating cybercrime.
As the above points demonstrate, CIOs and IT leaders in government and industry can benefit greatly from understand- ing and implementing effective practices from each sector. What else should be on the table for future discussions? Please share your thoughts by emailing tips@fcw.com or messaging @FCWnow on Twitter. n
Dan Chenok is executive director of the IBM Center for the Business of Government.
November/December 2016 FCW.COM 25