Page 96 - FCW, August 2021
P. 96

FCWPerspectives
Participants
Sean Connelly
TIC Program Manager, Cybersecurity and Infrastructure Security Agency, Department of Homeland Security
Chris DeRusha
Federal Chief Information Security Officer, Office of Management and Budget
Drew Epperson
Chief Architect, Palo Alto Networks
Sanjay Gupta
CTO, Small Business Administration
Craig Hayn
Chief Information Security Officer, National Cancer Institute, Department of Health and Human Services
Mike Hurt
Vice President, Federal, Palo Alto Networks
Wanda Jones Heath
Chief Information Security Officer, Department of the Air Force
Heather Kowalski
CIO, INTERPOL-U.S. National Central Bureau, Department of Justice
Oki Mek
Chief Artificial Intelligence Officer, Department of Health and Human Services
Tony Plater
Acting Chief Information Security Officer, Department of the Navy
William Salamon
Director, ICAM Shared Services Division, General Services Administration
Note: FCW Editor-in-ChiefTroy
K. Schneider led the roundtable discussion.The July 12 gathering was underwritten by Palo Alto Networks, but both the substance of the discussion and the recap on these pages are strictly editorial products. Neither the sponsors nor any of the roundtable participants had input beyond their comments.
94
August 2021 FCW.COM
Other participants said the conver- sations in their agencies were already changing. The executive order “has enabled me to really do some of that education,” one official said. “When I come to the bosses and I say, ‘Look, yes, we’re modernizing our applica- tion, but I have to spend $100,000 on servers and switches because the current ones that we’re using, I can’t make the changes I need to make.’ So I have found that to be helpful.”
Another noted that some of the key spending may have already occurred. “A lot of the investments that have been made over the last several years are fundamentally aligned with the concepts of zero trust,” that official said. “We should be able to reuse a lot of the investments that have been made to get us there. It’s not a net new buy from the ground up to get us moving toward zero trust.”
Some agencies have already request- ed supplemental funding in fiscal year 2022 to address the damage caused by the SolarWinds compromise; one offi- cial noted that “there were significant plus-ups at nine agencies.”
For most agencies, however, the Technology Modernization Fund offers perhaps the best chance for efficient new cybersecurity funding.
“We got a billion dollars,” one offi- cial said. “That’s a lot of money. We relaxed repayment so that there is the opportunity under certain condi- tions to have very minimal repayment, which means it’s not a loan. It’s an investment that an agency can make. And we are definitely seeing people tie zero trust plays together in project proposals.”
Several other participants con- firmed that their agencies had either applied for TMF funding or were in the process of doing so. The more- flexible repayment requirements were a key incentive, they said.
Yet while many “security invest- ments aren’t going to save money
somewhere” and allow for quick repayment, one participant stressed that there does need to be a longer- term opportunity to realize savings.
“It cannot be always net additive,” that official said. “It should be more realistically net zero, if you look over a two, three, four-year timeframe. So I want to emphasize that that we should be looking at all investments, all upgrades, all modernizations, regardless of whether it’s cyber or not, in that manner.”
Room for further improvement
For all the cheerleading that the exec- utive order received in the roundtable discussion, participants had their con- structive criticisms as well.
“It feels to me that it’s a little bit more leaning towards reactive,” one official said. “If this incident happens, you should do that. That’s all great, but I think, ultimately, we need to move into more proactive stance as opposed to a reactive stance.”
“I’m not trying to suggest that reac- tive solutions, and models and clearly identifying who’s responsible for what is not important,” the official contin- ued, “but I think we need to start mov- ing into a either a balanced approach or ultimately tilting towards a proac- tive thing.”
And while the group appreciated the emphasis on whole-of-government efforts, there was some concern that it sent the wrong message.
“There’s reference to all of our part- ner agencies,” one official said. “CISA, NSA, FBI. They’ll do this, they’ll pro- vide this guidance. It’s all great stuff, but I feel it’s a missed opportunity to call out that regardless of what these partner agencies are doing to support us, the agency head ultimately is still not off the hook. They have to do everything that they can possibly do themselves to make sure that they are protected and they’re doing everything to protect their organization.” n
























































   94   95   96   97   98