Federal Cyber Security: Why I'm Tired Of Losing

Federal Cyber Security: Why I'm Tired Of Losing

Jeff Fossett Jeff Fossett

Jeff Fossett

Principal Architect at CTG Federal

发布日期: 2017年4月9日
+ 关注

Fair warning: I’m probably going to whine and soapbox in this write-up. You should know that up front.

But frankly, I’m tired of losing. I’m frustrated with the state of cyber security in our space. To some degree, it’s a situation that the whole world finds itself in – both in government and commercial sectors. Everything is connected, these days. Everything is vulnerable. And therefore, everything requires cyber security professionals to architect, engineer, and deploy.

“Losing” involves several factors, in my opinion. In short, we are getting killed. Attacks continue surfacing in ways that are more and more unabashed, unmasked, and “in your face”. We’re not just pushed back on our heels, but we seem resigned to losing. Our state-sponsored enemies are bolder, more persistent, more patient, and generally more focused.  Those things sting, right? Maybe take a step back, take a deep breath, and be introspective for a few minutes before reading further.

What are some factors that contribute to “losing”? There’s several, in my opinion. So here’s the “trigger warning” flag, and here’s the “these comments are strictly my own” preface!

Apathy: This stings, I know. But let me explain: Employees get frustrated with culture. We live in a culture that is constantly changing due to our constantly changing political climate. Funding is never a surety, and leadership gets shuffled around more than it does in other sectors. These two things can breed dis-contentedness and a belief that most of what we do is futile. After all, we’ll probably get 85% of the way through the engineering process, funding will get cut, and all of our work was useless – right? This ultimately breeds frustration, a certain hopelessness, an “I give up” mentality, and ultimately, that produces apathy that sets us up for assured failure.

Federal Policy: This is a complicated point, and a dangerous one to address. I’ll first start out by saying that I’m a huge proponent of a centralized, HQ-down approach to policy. Also, to HQ-down architecture and engineering in-general. Providing it’s done right. That “providing it’s done right” comment is a topic for a whole different article. Firstly, “Federal Policy” in the cyber arena is often done in a vacuum. They’re often very toothless. And more than that, it’s very normal for it to be 5-7 years behind the curve (from a technology standpoint) by the time it actually gets rolled out. If the policy even gets adopted in the first place, it’s done in view of passing audits as primary concern – above being done with a big picture view of our cyber security culture and success. It turns cyber success benchmarks into shortsighted fire drills, as opposed to an intentional, focused effort to deliver successful and practical enterprise-wide architectures.

 Focus on the trendy, not on practical operational delivery: In the Fed space, we love to innovate. We love to push the envelope. We love to develop in-house tools developed by our own developers. We reward those things with funding. We take pride in this type of approach. And let’s be honest, the internet wouldn’t be here today without that mindset. Research is critical, obviously.  So I’m not knocking any of that. But what happens when the tools have to actually be deployed on an enterprise-wide scale? What happens when developers get hired away? Does the tool or project simply die on the vine? Usually. Additionally, we seem to reward the research, but have very little accountability on the service delivery side of the house. How practical did the tool prove to be in the long term? It’s great that it worked in a small subset of the network. But did it work enterprise-wide? What were the real-world operational costs? What were the success metrics? Did those metrics have any teeth? We should stop taking victory laps before we actually take an honest look at these things.

Lack of cyber-focused project management: I learned the hard way early-on in my career, that projects require accountability in delivery throughout the lifecycle of the project. I can still remember a PM (who is now a friend of mine) taking me to task right in front of my boss, due to my deliverables slipping on the project timeline. I was MAD. But why was I so mad? Because he was right, and it exposed my shortcomings. Thankfully, it happened pretty early-on in my career, and changed the trajectory of how I approached engineering and architecture. Project Management is critical. It’s not personal, it’s business. We need Project Management teams who are experienced, and who have the political influence necessary to hold folks to task. It’s shocking how lacking we are in this area. How can we define real, measurable success without metrics?

In order to stop losing, we desperately need change. We desperately need to start operating on the cyber side, like a business. What’s the real cost to our bottom line, when we lose? How do we quantify that cost?

We can start by recognizing our desperate need for technical leadership. We need legitimate teams of Enterprise Architects that aren’t constantly getting sucked into tier-3 troubleshooting and lower level engineering. This doesn't mean that Architects are somehow elite to Engineering and Operational staff, whatsoever. Simply different roles. More specifically, we need to be cyber-heavy on our EA team… potentially providing 200% more resources for cyber-specific EA resources than in any other area. EA’s that are driven, are innovators, have a history of successful delivery, etc.

Expanding on that, we are desperate for cyber-oriented Project Managers. While an EA should obviously have skill in Project Management, we need to free them up to focus on the technology. As I talked about before, these PM’s must be given the influence from C-level execs that is needed to exact results.

We are desperate for collaboration free of risk. Lets face it: The world of funding in the fed space is competitive. Entities are always competing with each other for funding. This breeds a culture of isolation, silos, and causes entities to run from collaboration at all costs. That is devastating to our likelihood for success, especially in the area of cyber security. We not only should be sharing actionable intelligence, but we should be sharing ideas for architectural approach in the cyber arena. Federal Contractors, Partners, Vendors, Commercial Cyber Execs, etc can all play a vital role in contributing to architectural success in the cyber fed space.

Lastly, we are desperate for decision makers who are focused on delivery. We need to start playing to the percentages. We need quick wins. In the fed space, are we covering the fundamentals? Examples might include basics like Layer 7 Inspection. True network wide admission control/authorization. Baseline IDS/IPS and Posturing in all areas, including Controls Networks. Controlling policy at a campus controller level. The funding and creation of legitimate NOC and SOC’s that collaborate closely together. Network Architecture directly enables successful cyber security. It’s time that those two “sides” stop being adversaries, and start working together to accomplish the mission.

None of this is easy. There are no silver bullets. And these are complex problems. But it’s time for a new approach. We should be tired of losing. I know I am.

 

 

要查看或添加评论,请登录

Jeff Fossett的更多文章

社区洞察

其他会员也浏览了