Page 30 - FCW, August 2017
P. 30

CYBERSECURITY
Executive Viewpoint
SECURITY FOR THE MODERN WORLD
NARA takes a multipronged approach to ensuring comprehensive cybersecurity.
SPONSORED CONTENT
NEIL CARMICHAEL
DIRECTOR, INSIDER THREAT PROGRAM, OFFICE OF THE CHIEF OPERATING OFFICER, NATIONAL ARCHIVES AND RECORDS ADMINISTRATION (NARA)
Federal agencies across the board have made great strides toward improving their overall cybersecuri- ty postures. The recent Cyber Sprint, in particular, helped many agencies identify and remediate vulnerabilities, but there is still much to be done. FCW caught up with Neil Carmichael, Director, Insider Threat Program, OCIO, NARA, to hear his thoughts on the current state of cybersecurity.
What are the primary types of threats agencies face today, and how well do they understand those threats?
The external threat is always going to be there, but the “new” threat people must come to grips with is the insider threat. That threat has always been there, but what’s new about it is the vast amount damage that can now be done. If you
go back 30 or 40 years, people could could compromise just a few documents at a time. Now they can walk out the door with gigabytes of data.
There’s the malicious person who does something with intent. Then there’s the person who means no harm, but for one reason or another, doesn’t follow the rules or policies and inadvertently releases information they shouldn’t. Then there are people—particularly newer and younger employees—who have no fear of what they put online. They want to
do a good job, they’re frustrated by all the government rules, and they look for ways to get around them.
How effective are current government- wide policies and regulations in helping you with security? Is anything else needed?
For the National Archives, I try to determine what’s already out there that we can leverage from the perspective of insider threats. Are there other offices already collecting information? Are there any agencies already looking at violations of policy and regulation? How can we latch onto those?
I think the tools are already there for us to
use. It’s a matter of breaking down some internal stovepipes so we can maintain a good information flow about issues within the organization. At NARA, we have gotten really good at breaking down those stovepipes.
Where does employee training come
into this?
I think you can overdo the training, to the point where they become desensitized. It’s more a matter of striking the right balance. On one hand, you have to educate them about the issues. Then you have to make sure you follow up.
Training is most effective when you don’t do it in a heavy-handed way. It’s when we use a, “Hey, do you know this?” type of approach. We need to get them to stop and think about things, and we’re getting much better at that.
Do you see any future technology developments that will help you better secure your agency?
There are always new tools being developed. And there a lot of good tools out there now that can be helpful. With many of them, though, you’ve got to balance the employee’s personal privacy with the right of the government to know what the employee is doing. So it’s not so much a matter of what are the better tools out there, but how do you utilize them.
The oversight we put on tools are extremely important. There’s no question though, there are some tools that are going to help wash out the noise and be very beneficial. In the end, it all boils down to a single analyst sitting in a cubicle using the technology who is going to make the determination whether or not a threat is legitimate. We have to keep that human component in mind. Sometimes, agencies lose sight of that.
This interview continues at Carahsoft.com/innovation/NARA-cyber.
S-24


































































































   28   29   30   31   32