Thales Blog

Federal Government CISOs Talk Data Security (Part 2)

October 16, 2017

Brent Hansen Brent Hansen | Federal CTO More About This Author >

It’s National Cybersecurity Awareness Month – so it seems like an appropriate time to publish Part 2 of my blog series about cybersecurity and the federal government. Last week’s NCSAM theme, “Cybersecurity in the Workplace is Everyone’s Business,” was informed by the recognition that creating a culture of cybersecurity is critical, and must be a shared responsibility among all employees. I couldn’t agree more, and believe this is an ethos shared in the public and private sectors alike.

In my last blog, I highlighted some of the takeaways resulting from the Thales eSecurity-organized roundtable breakfast with federal government CISOs and CIOs. Held at the National Press Club in Washington, D.C., the discussion focused on trends and future directions in data security across federal civilian, defense and intelligence agencies. As promised, Part 2 explores some proposed solutions to the challenges raised previously and shares suggestions for building out an encryption-centric security strategy:

Federal Government CISOs Talk Data Security (Part 2)

On handling risk management

In my first blog, I noted one universally agreed-upon takeaway: security comes down to risk management. “If you try to defend everything you will end up defending nothing,” one federal leader said. “You must prioritize.”

One way to do this is to assign value to information and assets – a route taken by a large federal department as a way to determine where to spend time and money. Assigning value involves determining how much, or how difficult, it would be to restore lost data following a breach, along with a privacy map to determine the most sensitive data. By taking the time to evaluate risk and align investments, agencies can make smarter, more targeted security decisions.

On managing system complexity

As established earlier, federal agencies struggle in part because of the complexity of their systems. Also concerning is the plethora of aging legacy systems still in place, with one example being a 53 year-old Strategic Automated Command and Control System at the Department of Defense that coordinates U.S. nuclear forces and uses 8-inch floppy disks.

Large enterprise environments have up to 1,000 firewalls. As complexity has increased over the past 20 years, their effectiveness has diminished. While there were conflicting viewpoints about the feasibility of a common architecture, (the federal civilian sector has a much-diversified agency model that make a common architecture challenging) there is appetite for starting with a few integrated services and building from there. It certainly beats the status quo.

On instilling resiliency

Agencies expect breaches, so resiliency is a top priority. We have to be able to take a punch and keep going. To do so, government agencies must operate under a zero-trust model.

In my previous blog, I touched on the role of encryption in building resiliency. One agency, for example, made the decision to encryption its raw mission data. It did not bother defending wikis or websites, but focused solely on its most important mission data. As a result, no mission data has been breached. However, many agency leaders admitted that when it comes to encryption, they don’t know where to start. There were also questions posed about how to manage unstructured data, whether every endpoint should be encrypted and how to prioritize data.

While encrypting data may seem daunting, it’s in fact much less complex than what its reputation has made it out to be. The days of slow, cumbersome, highly complex and disparate encryption technologies have passed. Many encryption solutions available offer operational simplicity, minimize risk, and ensure security agility. Good solutions are quick to install, easy to use, easy to scale and cost-effective.

While by no means an exhaustive data security blueprint, organizations and government agencies committed to implementing an encryption-centric data protection strategy should consider:

  • Deploying security tool sets that offer services-based deployments, platforms and automation;
  • Discovering and classifying the location of sensitive data within cloud, SaaS, big data, IoT and container environments; and
  • Leveraging encryption and Bring Your Own Key (BYOK) technologies for all advanced (cloud, IoT, big data, container, etc.) environments

Have questions or comments about anything discussed here? Leave a comment below or send me a LinkedIn message. I also recommend you check our 2017 Data Threat Report, Federal Government Edition, or our dedicated Thales federal government data protection page.