A recently released 10-month review consisting of 10 years’ worth of inspector general’s (IG) reports across eight federal agencies by the Permanent Subcommittee on Investigations of the Senate Homeland Security Committee found that “Agencies currently fail to comply with basic cybersecurity standards.” The full report can be found here and the major themes identified in the report highlighted yet again the fundamental work that isn’t being done to comply with basic cybersecurity standards. So why isn’t the work being done? Is it a lack of money, tools, people, all the above? Buried on page 46 of the report then-DHS CIO Richard Staropoli is quoted in a 2017 interview with the Subcommittee on the state of the OCIO saying, “You can write this down and quote me, the problem is piss-poor management.”
That blunt assessment, it’s a management problem, is worth considering. Better outcomes can be achieved, across the Federal government and industry, with a disciplined, framework-based approach to cybersecurity. This approach and the guaranteed better outcomes that will follow require a recognition that many of the management disciplines inherent in other business supporting functions like finance and engineering are missing in cybersecurity. The problems in cybersecurity are different but the principles required to improve them are not. Said another way by the late W. Edwards Deming:
“A common disease that afflicts management and government administration the world over is the impression that “Our problems are different.” They are different, to be sure, but the principles that will help to improve quality of product and of service are universal in nature.” W. Edwards Deming
Many of the failures identified in the Subcommittee review focused on people and processes, management, rather than the need to buy more vendor tools and products. Too often the answer to a cybersecurity failure is a procurement activity. Instead of focusing on the root cause, a breakdown in process, lack of auditable process or some other management issue.
The Audit Results
The agencies reviewed included the Department of Homeland Security and seven other agencies cited by OMB as having the lowest ratings regarding cybersecurity practices based on NIST’s cybersecurity framework in the fiscal year 2017. The IGs identified several common, repeat historical failures at the eight agencies reviewed by the Subcommittee including:
Protection of PII. Agencies failing to properly protect the PII entrusted to their care included State, DOT, HUD, Education, and SSA. The HUD IG has noted this issue in nine of the last eleven audits.
Comprehensive list of IT assets. A persistent, recurring issue with agencies failing to maintain an accurate and comprehensive inventory of its IT assets is a recurrent problem for State, DOT, HUD, HHS, and SSA.
Remediation of cyber vulnerabilities. Over the past decade, IGs for all eight agencies reviewed by the Subcommittee found each agency failed to timely remediate cyber vulnerabilities and apply security patches. HUD and State IGs identified the failure to patch security vulnerabilities seven of the last ten annual audits. HHS and Education cybersecurity audits highlighted failures to apply security patches eight out of ten years. For the last nine years, USDA failed to timely apply patches. Both DHS and DOT failed to properly apply security patches for the last ten consecutive years.
Authority to operate. Failure to ensure systems had valid authorities to operate were observed at DHS, DOT, HUD, USDA, HHS, and Education. Again, a recurring issue, HHS systems lacked valid authorities to operate for the last nine consecutive audits and DHS operated systems without valid authorities in seven of the last ten audits.
Overreliance on legacy systems. All eight agencies examined by the Subcommittee relied on legacy systems. The DHS IG noted the use of unsupported operating systems for at least the last four years, including Windows XP and Windows 2003.
If these findings sound all too familiar what is the solution?
The issues above will look familiar to almost any cybersecurity professional and the problems generally lend themselves to the same solution. The principles required, both in the private sector and across the Federal government, truly are universal in nature.
The solution, choose a Cybersecurity Framework. There are many to pick from and we recommend one that best aligns with your existing regulatory requirements. There are many frameworks and standards and if you can’t decide which one best fits your business ask for help. Regardless of your industry, there is a suitable framework and the time wasted debating best fit is time that should be spent remediating issues. When all else fails the NIST Cybersecurity Framework is flexible and detailed enough to meet just about any business requirements that you might have and should easily map to all your regulatory and compliance requirements.
Assess Yourself Against the Framework
The assessment is not an audit so don’t describe it that way; socialize it appropriately with your management and your team. How? Every culture and set of circumstances is different but something along the lines of, “We’ve got a good understanding of what we need to do in security to better align with the business and we are using this assessment to validate that thinking and create a multi-year investment strategy that will drive measurable improvement as opposed to the one-off point solution improvements.” If this assessment is going to be transformative you need to build support before it starts and ultimately you will have a burning platform off which you can launch your strategy. The assessment is a tactic that will enable the execution of your strategy.
Don’t do the assessment yourself; you won’t have the time to do it justice and somehow having a third party conduct the assessment is always more effective. When you select a third party make sure they invest the time to know what you want to get out of this assessment. Many mediocre companies can produce assessments that follow a boilerplate template and answer all your obvious questions leaving you no better off than where you started and a little poorer. Take the time up front to write a statement of work that forces your provider to deliver real value and not just a 100-page report. Define the value for your business in doing the assessment and the expected outcomes. Need help? CyberSheath has delivered hundreds of framework-based assessments that deliver compliance and improved operational security, find out how here.
Create a Project Plan, Remediate Assessment Findings, and Track Progress
Once you have the assessment completed you can prioritize the findings and give management a detailed, multi-year plan for how you are going to transform security into a transparent, measurable business supporting function. Your assessment results should change security conversations from procurement driven discussions around products to strategic discussions around compliance and enabling more resources to be spent on actual defense. You will have objective, fact-based data to articulate risk and prioritize resources.
Remediation efforts should be actively managed in a project plan and briefed to business stakeholders on a recurring basis. Take this opportunity to transform the security discussion from event-driven fire drills to documented, measurable progress against a prioritized list of cybersecurity improvements. Depending on the size and culture of your business the project plan related to remediation can be part of a company-wide strategy that the security function can be measured against.
Obviously, none of this is simple but it is critical if you want to transform from a reactive event-driven cybersecurity organization into a strategic business partner. Don’t Fight Phishing Attacks Alone.
With the federal agencies and commercial companies facing many of the same cybersecurity problems year in and year out, it’s time to try a better approach. Get hands-on professional and managed security services from CyberSheath and apply the universal principles that will improve the quality and effectiveness of your cybersecurity efforts. Contact us now to find out how we can help.