Why You Need an Effective Risk-Management Strategy for Cybersecurity
INDUSTRY PERSPECTIVE
Executive Summary T
here are few constants when it comes to federal cybersecurity. Agencies are bombarded daily with evolving cyber attacks against their sensitive data and systems. They also face a never-ending battle to secure consumer devices that employees are connecting to their networks. Although agencies can’t control the sophistication and frequency of attacks, they can take steps to improve their defensive posture. One way is through strong risk management, which includes assessing risks (security, financial and otherwise) and evaluating alternatives to address those risks. For example, before agencies decide to let employees use their personal devices for work, they must determine what risks this decision could pose and how those risks can be mitigated. “The reality is that devices proliferate, and this is usually driven by a business need or somebody who’s anxious to push a lot of connectivity out on behalf of the agency,” Dave Bowen, Managing Director at PricewaterhouseCoopers (PwC), said in an interview with GovLoop. “The intentions are good, but oftentimes the security aspect is not considered upfront.” These actions inevitably introduce new risks into an organization, some of which go undetected or are not properly managed. The fact is some agencies grasp this concept of risk management better than others, but many tend to manage reactively, crisis by crisis. One thing is true for all agencies, however: Understanding risk is a learning process. They’re trying to learn the size and nature of risk to the enterprise, and what problems it could cause the agency, said Bruce Brody, Director at PwC. That’s why GovLoop teamed up with PwC experts who have served as federal IT executives and know firsthand the barriers agencies face to improving risk management, especially as it relates to attempts to strengthen an agency’s cybersecurity posture. In this report, we explore the cybersecurity benefits of effective risk management, the challenges agencies face when implementing risk-management programs and how PwC is working with agencies to address those issues. To begin, let’s first explore some of those challenges, as well as solutions.
2 | Industry Perspective
Federal Cybersecurity: A Risk-Management Issue T
he inability of IT leaders to hold people accountable for their actions has long been a challenge in the federal tech community and remains one of the biggest barriers to implementing robust risk management governmentwide. In fact, federal cybersecurity is essentially a risk-management issue. Effective risk management is hindered, however, by fragmented and non-empowered governance. Although Congress made strides in the early and mid-2000s to enhance information security governance through legislation, specifically the Government Information Security Reform Act of 2001, the Federal Information Security Management Act of 2002 and the Federal Information Security Modernization Act of 2014, the laws did not fully address the nuances of risk management and cybersecurity governance. “Governance is centered around accountability, and the ability to hold people responsible for not doing what they’re supposed to do or purposefully neglecting their responsibilities,” Brody said. “The chief information officer and chief information security officer are usually unable to hold officials in their department accountable because of governance fragmentation.” CIOs and CISOs usually do not have as much clout and visibility as other agency leaders, particularly those who have dedicated budgets to oversee. But that is gradually changing, thanks to provisions in the Federal Information Technology Acquisition Reform Act (FITARA). The law requires that CIOs be empowered to review and approve IT spending and
root out waste and duplication in IT budgets. Ensuring CIOs have the clout they need to carry out these duties is key to establishing strong governance. When IT leaders are empowered to hold people accountable for their negligence or inattention to duties, they can better identify and address the risks associated with those actions. “The question is how CIOs and CISOs will marshal emerging tools that their agencies want to buy and how to manage them under a solid governance program,” Brody said. “That includes capabilities such as the Continuous Diagnostics and Mitigation (CDM) tools being rolled out by the Department of Homeland Security.” When IT leaders make decisions about where to invest their cybersecurity dollars, whether on tools or personnel, they must consider how that funding will help reduce security risks. It’s impossible to eliminate all risks, especially when humans are involved, but agencies should make a concerted effort to assess the level of risk, how to mitigate it and whether there are options that provide the same results but introduce less risk. That’s not all agency leaders should consider when developing a sound governance plan. They have to ensure a solid security architecture is in place. This evolving architecture and framework should guide how information security systems and practices work together to accomplish an agency’s mission. Having a strong framework that defines processes and procedures for implementing security policies is also key.
“If CDM, a solid and enforceable set of security policies, a strong security architecture, FITARA and similar tool are properly employed by the CIO and CISO, these things can begin to help them get their hands around the problem of governance,” Brody said. But tackling this ongoing issue takes time and commitment at all levels of an organization. “Consider that IT leaders are balancing their daily responsibilities, long-term goals and tight budgets”, Bowen noted. “They’re also working to change the hearts and minds of colleagues and senior officials who view investments in security as insurance — something that’s nice to have but not a necessity”. Governmentwide, there is a natural tendency to invest in things that are consistent with the mission, and security must be one of them. In fact, security must be an enabler of an agency’s mission.
“Governance is centered around accountability, and the ability to hold people responsible for not doing what they’re supposed to do or purposefully neglecting their responsibilities.” } Bruce Brody, Director at PwC
Why You Need an Effective Risk-Management Strategy for Cybersecurity | 3
Understanding Your Attack Surface I
n this void of governance, the attack surface of the federal enterprise has grown enormously, and no federal CIO or CISO has an accurate understanding of their agency’s exposure. All it takes is one employee clicking on a malicious link or downloading a corrupt file to give attackers authorized access to government systems and data. That’s why agencies must be aware of the different attack vectors, including email, mobile devices and unsecure internet connections that could be exploited by people with malicious intentions. These paths or methods that hackers can use to exploit agency vulnerabilities are collectively known as the attack vectors. Reducing the size of an agency’s attack surface can contribute immensely to better understanding of the IT environment, and how to address them through improved risk management and better cyber hygiene. But doing so is easier said than done. “There are a growing number of products available to agencies for managing the expanding attack surface”, Bowen said. “There are mobile device management systems and varying kinds of technologies that can monitor what software may be running on a device and segregate corporate and personal applications on a single device”. “Those kinds of approaches all try to address the problem of the growing attack surface, but none of them totally solve it,” he said.
4 | Industry Perspective
Here’s why: The rise of mobile and interconnected devices, such as printers and virtual conferencing technologies, have drastically increased the number of endpoints that can be breached if they’re not secured properly. There’s also the human factor that must be addressed. Often it’s how the technology is used that makes it a risk to agency operations, not the technology itself. To address this issue, the Obama administration’s newly appointed federal CISO — the first to hold such a position — developed a list of strategic objectives, and one of his top priorities is hardening the workforce. “That becomes an increasingly complex issue to address, especially considering the proliferation of millennials in the workforce,” Brody said. “They are techsavvy, and they take advantage of the interconnected worldthat technology enables. We have the additional complication of hardening the workforce at large and making them risk-conscious and security-aware. Each device that you’re not aware of in your enterprise is being manned or operated by someone who is not hardened.” When you consider the massive size of the federal workforce, it can seem like a daunting task to make everyone more security conscious and sensitive to attackers’ tactics. Part of the solution is translating cyberspeak into layman’s terms that all employees can understand. To do that, some agencies are using tactics that go beyond the typical security awareness training.
For example, some agencies use internal phishing campaigns run by their IT departments to teach employees the importance of being vigilant when it comes to email security. What may appear to be a legitimate email could be one meant to cause harm to an agency. For employees who click on the email from the IT department, they’re notified that the email is part of an internal phishing campaign. Although those emails are harmless, employees are made aware of the damage that could’ve been caused if it were a malicious email. Other organizations deny employees access to systems for a short period of time to bring that message home.
All it takes is one employee clicking on a malicious link or downloading a corrupt file to give attackers authorized access to government systems and data.
DOWNLOAD
Making Privacy a Part of Your RiskManagement Strategy Y
ou can’t talk risk management without addressing the issue of privacy, especially in today’s global environment where data is constantly created and shared. To address the challenges around properly securing privacy data, agencies first need to understand what their privacy data consists of, where it resides, how it moves in and out of the agency and where it’s going, Bowen said. Bowen recalled his time as a CIO in government and the work his agency did to detect various forms of privacy data residing on its networks. “We were amazed at where some of this data was going,” he said, adding that a lot of the data was used for old processes that had been unchanged for years. Certain reports containing different sets of privacy data were flowing in and out of the agency for legitimate reasons, but it wasn’t encrypted.
“At the time the data was developed, security was less of an issue than it is today”, Bowen explained. Where there were instances of unencrypted privacy data traversing the network, the agency put controls in place to detect and manage that activity. It’s also important for agencies to understand how privacy data may be stored on employee and end user devices. Perhaps somebody put together a list of names and Social Security numbers several years ago for a valid reason, but that unencrypted file is still on their workstation years later. These types of practices are all too common and create unnecessary risks.
“It’s very difficult to enforce a robust set of privacy controls if you don’t have strong cybersecurity practices in place. If your cybersecurity situation is porous, that threatens your privacy posture. The two go hand in glove.” } Bruce Brody, Director at PwC
Why You Need an Effective Risk-Management Strategy for Cybersecurity | 5
The Solution: Bridging Risk-Management and Security A
t its core, PwC is a risk firm, and cybersecurity is all about understanding risk and how to manage it.
At PwC, that is known as operating left of boom versus right of boom – the boom being a crisis.
As agencies strive to strengthen their cyber defenses, PwC is working especially close with C-level executives to help them understand the risk-management process and how it’s documented in the framework developed by the National Institute of Standards and Technology. The NIST Risk Management Framework is helping agencies move away from a check-thebox approach to security and embrace a new way of operating that takes into consideration what risks an agency can accept and how to mitigate them.
“Many agencies tend to find themselves in right-of-boom mode, which is unfortunate because it’s extremely inefficient and consumes a lot of resources,” Brody said.
PwC also focuses on the areas that are greatly impacted by cybersecurity, such as acquisition, financial systems and services, as well as human capital transformation. To help agencies adapt and respond to evolving cyberthreats, the company works with agencies to prioritize their budgets and ensure they have the right tools and skillsets in place to thwart those attacks. “We have capabilities that can help agencies deal with security incidents by managing the potential damage to their reputation and relationships with various regulatory and congressional bodies, their workforce and the press,” Bowen said. “We help agency CIOs and CISOs stress the significance of cybersecurity and privacy and the importance of having those protections in place.”
6 | Industry Perspective
In contrast, agencies operating left of boom have strong cyber defenses and risk-management programs in place. They are better positioned to quickly respond and recover from an attack. In response to these crippling attacks against agencies and their private-sector counterparts, government leaders are making cyber a priority. Some of those improvements are being mandated by Congress, such as FITARA and FISMA, while others are part of a larger governmentwide effort. The federal Continuous Diagnostics and Mitigation program is one example. What many of these programs have in common is that agencies seek to invest in new tools to help them implement and enforce requirements established by law. PwC works with agencies to ensure those tools are helping them manage cyber risks across the enterprise.
Conclusion Although implementing the right security defenses and riskmanagement practices can seem like a nonstop battle, the truth is cybersecurity isn’t a sprint. It’s a marathon that evolves over time. Brody offered some advice to help agencies prioritize their focus and get employees on board. “A continuous security awareness campaign that appeals to the sensitivities of each employee is needed,” he said. “It can’t be in cybersecurity terms, because they won’t understand. The message has to be in terms that people can grasp.”
About PWC
About GovLoop
PwC’s Public Sector Practice helps federal agencies solve complex business issues, manage risk and add value through our comprehensive service offerings in financial management; program management; human capital; enterprise effectiveness; governance, risk and compliance; and technology, all of which are delivered seamlessly throughout the world. To find out more, visit www.pwc.com/publicsector.
GovLoop’s mission is to “connect government to improve government.” We aim to inspire public-sector professionals by serving as the knowledge network for government. GovLoop connects more than 250,000 members, fostering crossgovernment collaboration, solving common problems and advancing government careers. GovLoop is headquartered in Washington, D.C., with a team of dedicated professionals who share a commitment to connect and improve government.
To learn more about how PwC helps clients understand their cybersecurity risks, visit: www.pwc.com/cybersecurity.
For more information about this report, please reach out to info@govloop.com.
Why You Need an Effective Risk-Management Strategy for Cybersecurity | 7
1152 15th St. NW, Suite 800 Washington, DC 20005 (202) 407-7421 F: (202) 407-7501 www.govloop.com @govloop