Earlier in September, I had the privilege of joining federal government CISOs and CIOs for a Thales eSecurity-organized roundtable breakfast discussion focused on trends and future directions in data security across federal civilian, defense and intelligence agencies. Informed by findings from 2017 Data Threat Report, Federal Government Edition and the recent Cyber Executive Order (EO) on data protection, the conversation primarily centered on how to control access and protect data at rest, in the data center, cloud and tactical edge from cyberattacks.
This year, we were delighted to welcome as our keynote speaker Brigadier General Greg Touhill (USAF, Ret.), former Federal CISO of the United States and now President of the Cyxtera Federal Group at Cyxtera Technologies. His keen insights added an extra layer to an already engaging (and spirited) dialogue. For more on that, keep reading:
On risk management
While each federal agency IT security team faces unique hurdles, there is an item of universal consensus: at its core, security comes down to risk management. “If you try to defend everything you will end up defending nothing,” one federal leader said. “You must prioritize.”
In general, government technology leaders should take a step back and evaluate the user experience and the threat environment to get a better picture of the enterprise. Budgets, people and technology will ultimately govern risk, so agency leaders must align defenses for the most critical and likely scenarios. Agencies should not take chances on the latest fads in enterprise security, and instead focus on making informed decisions on the data and information that is available.
On the feasibility of a common architecture
Federal agencies struggle, in part, because of the complexity of systems. One executive said their architecture is based on a “1980s org chart.”
Could a common IT architecture and centralized service model be maintained to support the .gov domain? Should the federal government establish a DISA-like agency to deliver cyber tools and managed services? While the leaders richly debated these questions they did reach consensus that something needs to be done to replace the current “Wild West” environment.”
On zero trust
Looking forward, resiliency will be a chief concern. Agencies expect breaches, so resiliency is a top priority. The takeaway? We have to be able to take a punch and keep going. To do so government agencies must operate under a zero-trust model. When asked who at the table has experienced a DDoS attack, every hand went up.
One capability to help overall security is encryption. While many admitted they did not know where to start, the consensus was that with encryption “the data could defend itself,” thus reducing the requirements on supporting technology and buying down risk.
There is much more to say – so please keep an eye out for my next blog, which will explore some proposed solutions to the challenges raised above and share suggestions for building out an encryption-centric security strategy.
In the meantime, I’m interested in hearing from you. Have questions or your own insights? Leave a comment below or send me a LinkedIn message. You can also check out our dedicated Thales federal government data protection page.