FCWPerspectives
improving and reviewing our cyberse- curity posture.”
Another participant, however, said the order had already served as a valu- able forcing mechanism for collabora- tion. “This was a great avenue to bring all different departments within the agency together to say, ‘Hey, how do we work together to respond to this EO? Because we can’t do it by our- selves, and if we want to be successful, we have to work together.’”
And virtually all the participants agreed that the cyber executive order was different from others in that it clearly explained the thinking behind the changes.
“They actually did attempt to provide background as to why they thought this thing needed to be addressed,” one participant said. “It was actually the first time, rather than just having a ‘You shall do.’”
Another participant praised OMB for acknowledging that some tactics — like Trusted Internet Connections — might not be the best approach now that the strategy has shifted from data center consolidation to “cloud when- ever possible.”
“It is kind of unique for the govern- ment to say, ‘We choose to go down Path A, but we realize the world has changed,’” he said.
Culture still comes first
Several participants said the order’s message is important because so many people in the government still see cyber as a compliance exercise.
“You’ve got to go through the cultur- al shift first,” one said. “That’s essential- ly the pivotal change that has to occur because I don’t need to collect a whole bunch of data to fill out a compliance checklist.”
There are real operational chal- lenges, the group said. For instance, cloud technology complicates asset methodology and the idea of attack surfaces. “But those are things that we can evolve to,” one executive said
— unless “everyone still falls back on ‘security is compliance.’... You’ve got to change the overall approach to cybersecurity to be a much more pro- active game that says you continuously have to be ready to do things because the threats are evolving.”
Many mission leaders and top agen- cy officials still struggle to think about cybersecurity in this way, participants said, but several added that the NIST framework was making that education process easier.
“No one will ever say it’s simple,” one executive said. But the five basic levels — identify, protect, detect, respond and recover — make the framework “highly consumable by an executive understanding the complexi- ties of the cybersecurity question.”
“You only have five words to work with,” he added. “You can build a great story around those five words that really resonates with the front office.”
Ultimately, another executive said, the challenge comes down to turf. “Every time I looked at an agency that was serious about doing consolidation or aggregation or modernization, it’s not finding the assets to do it that’s the challenge,” he said. “The hard part is the geopolitical effects to the agency in terms of human resources, organizational construct and who’s operating these systems.”
Accountability changes everything
The executive order’s declaration that agency leaders are directly responsible for cybersecurity is a big deal, most participants said. Although there have been few public signs of that shift, one executive said that for her agency, “it meant a complete change in every- thing.”
“This wasn’t just our CIO,” she said. “This was the top boss who said, ‘Cybersecurity: big deal, pay attention.’ It led us to change the actual structure of the organization.... The ability to move resources and to change the actual structure of the organization is huge.”
Another executive elaborated on what those changes look like. “If I knew that if I can’t accomplish that mission objective without having sys- tems be secure, then I may restack the priority deck on where the assets are going. I may reallocate funding and reallocate effort — and it’s making that risk management decision at that top level.”
That accountability trickles down, several participants said. “When the most senior leaders are accountable, that means that the leaders under them are also accountable. In every one of my domains, every one of those lead- ers has to go to the top executive and say, ‘This is what I’ve done in the last
30 September 15, 2017 FCW.COM