The biggest challenge facing cybersecurity professionals in Federal agencies is, well, the Federal government. There are sweeping mandates to keep agencies secure. But the funding to back that guidance is tied to factors that may not even contribute to the protection of privacy and intelligence. Budgets are driven by enforceable regulations, not necessarily by the most effective protection strategies. This leaves Federal security teams facing the unenviable choice between securing their agencies and securing their jobs. But that’s a choice that may not be entirely within your control. One breach and all hell breaks loose.
According to the Government Accountability Office, “If information security controls are ineffective, resources may be lost, information—including sensitive personal information—may be compromised, and the operations of government and critical infrastructure could be disrupted, with potentially catastrophic effects.” The office also highlighted several weaknesses in current Federal cybersecurity practices, including lack of risk-based cybersecurity programs and access control systems, while calling for improvements in contractor oversight, incident response, and security programs at small agencies.
However unenforceable or underfunded, cybersecurity remains a top priority for President Obama. Outlined in a White House blog, the 2016 Federal Cybersecurity Research and Development Strategic Plan calls for “new forensic capacities that reliably identify the perpetrator quickly enough to take action, without compromising free speech, or anonymity for those who are doing nothing wrong.” Again, no one is arguing that Federal agencies will not need advances in cybersecurity to remain viable. But the real question is what can you do RIGHT NOW, given current funding and regulatory limitations.
In the wake of the massive data breach at the Office of Personnel Management, which exposed the records of nearly 22 million federal workers, Federal agencies are worried. But will legislators match that concern with the cash needed to implement the required cybersecurity? Time will tell. But in the meantime, the Office of Management and Budget recently upped the ante with the Cybersecurity Strategy Implementation Plan. The plan includes recommendations for basic security upgrades to prevent infiltration and breach. It’s a smart plan. And the goals are solid, but it’s the journey to those goals that remains uncertain.
The machine of bureaucratic change is admittedly cumbersome and slow moving. The U.S. Federal government is not run like a business. It is run like the slow-moving, unwieldy superpower that it is where change is slow and hard fought. Because the government is not profit driven, there may be little formal incentive to increase productivity or reduce costs. There are, however, informal incentives to allocate funds to penalty-driven programs, expend budgets, and maintain continuity. No agency wants to do anything that would disrupt service, as illustrated in the problems that plagued the launch of the Affordable Healthcare Act. So your upgrades get deferred. Then the budget disappears. And the problems remain. But you are back where you started. It’s very much a fix it now and catch up later mentality, according to an astute article in the Daily DOT.
First focus is to overcome the problem from within
In a survey commissioned by HP, the Ponemon Institute recently found that the Federal Government may be its own worst enemy when it comes to cybersecurity. 44 percent of federal workers who responded to the survey indicated that “the biggest threat to federal cybersecurity is ‘the negligent insider’ at an agency who fails to take enough precautions while using or protecting government networks.” By comparison, only 30 percent of respondents marked nation-state hackers as the primary threat.
Enforcement is everything. Employee compliance is critical. And support must trickle down from the top to the middle. The ultimate success of Federal cybersecurity relies on getting buy-in from cabinet secretaries and mid-level managers. It’s a change of mindset that may seem a bit unrealistic. But it’s the only way that the government can truly enact critical changes in cybersecurity. In the meantime, while new systems may be slow to implement due to concern over the continuity of large government programs, agencies must lock down the proper controls that will protect them throughout the process.
Agencies still need to overcome the burdens inherent in large government to enact the changes needed for effective, up-to-date cybersecurity. The good news is that you have backing from the highest levels, i.e. the oval office. But outlining and securing the necessary funding remains a challenge, as does staffing and implementation. To have any chance of bringing cybersecurity up to code, agency teams must identify, clarify, and justify the fastest, cheapest ways to mitigate the highest risks. Automating that security is one the best ways of enforcing compliance.
At Venafi, we believe that as the foundation of cybersecurity, keys and certificates are a good place to start. Without these forms of validation and authentication, we would simply not know which systems, applications, or users to trust. Control that system of trust (or mistrust) and you control access to your critical digital assets. Venafi can help automate the protection and management of your agency’s keys and certificates. Plus, it’s a smart place to invest, especially to prevent man-in-the-middle (MITM) attacks, spoofed websites, code-signed malware, and other threats that misuse keys and certificates to bypass even the most rigorous security controls.
Talk to us today to find out how Venafi can help you eliminate blind spots to protect your agency during the planned upgrades in your cybersecurity.
Lorem ipsum dolor sit amet, consectetur elit.
Thank you for subscription
Scroll to the bottom to accept
VENAFI CLOUD SERVICE
*** IMPORTANT ***
PLEASE READ CAREFULLY BEFORE CONTINUING WITH REGISTRATION AND/OR ACTIVATION OF THE VENAFI CLOUD SERVICE (“SERVICE”).
This is a legal agreement between the end user (“You”) and Venafi, Inc. ("Venafi" or “our”). BY ACCEPTING THIS AGREEMENT, EITHER BY CLICKING A BOX INDICATING YOUR ACCEPTANCE AND/OR ACTIVATING AND USING THE VENAFI CLOUD SERVICE FOR WHICH YOU HAVE REGISTERED, YOU AGREE TO THE TERMS OF THIS AGREEMENT. IF YOU ARE ENTERING INTO THIS AGREEMENT ON BEHALF OF A COMPANY OR OTHER LEGAL ENTITY, YOU REPRESENT THAT YOU HAVE THE AUTHORITY TO BIND SUCH ENTITY AND ITS AFFILIATES TO THESE TERMS AND CONDITIONS, IN WHICH CASE THE TERMS "YOU" OR "YOUR" SHALL REFER TO SUCH ENTITY AND ITS AFFILIATES. IF YOU DO NOT HAVE SUCH AUTHORITY, OR IF YOU DO NOT AGREE WITH THESE TERMS AND CONDITIONS, YOU MUST NOT ACCEPT THIS AGREEMENT AND MAY NOT USE THE SERVICE.
You shall not access the Service if You are Our competitor or if you are acting as a representative or agent of a competitor, except with Our prior written consent. In addition, You shall not access the Service for purposes of monitoring its availability, performance or functionality, or for any other benchmarking or competitive purposes, and you shall not perform security vulnerability assessments or penetration tests without the express written consent of Venafi.
This Agreement was last updated on April 12, 2017. It is effective between You and Venafi as of the date of Your accepting this Agreement.
The Venafi Cloud Service includes two separate services that are operated by Venafi as software as a service, each of which is separately licensed pursuant to the terms and conditions of this Agreement and each of which is considered a Service under this Agreement: the Venafi Cloud Risk Assessment Service or the Venafi Cloud for DevOps Service. Your right to use either Service is dependent on the Service for which You have registered with Venafi to use.
This License is effective until terminated as set forth herein or the License Term expires and is not otherwise renewed by the parties. Venafi may terminate this Agreement and/or the License at any time with or without written notice to You if You fail to comply with any term or condition of this Agreement or if Venafi ceases to make the Service available to end users. You may terminate this Agreement at any time on written notice to Venafi. Upon any termination or expiration of this Agreement or the License, You agree to cease all use of the Service if the License is not otherwise renewed or reinstated. Upon termination, Venafi may also enforce any rights provided by law. The provisions of this Agreement that protect the proprietary rights of Venafi will continue in force after termination.
This Agreement shall be governed by, and any arbitration hereunder shall apply, the laws of the State of Utah, excluding (a) its conflicts of laws principles; (b) the United Nations Convention on Contracts for the International Sale of Goods; (c) the 1974 Convention on the Limitation Period in the International Sale of Goods; and (d) the Protocol amending the 1974 Convention, done at Vienna April 11, 1980.
In the meantime, please explore more of our solutions
In the meantime, please explore more of our solutions
This site uses cookies to offer you a better experience. If you do not want us to use cookies, please update your browser settings accordingly. Find out more on how we use cookies.