Data-level security is not just another mandate. It’s a necessity.
That was a recurring theme during a roundtable discussion held in advance of the Data Security Summit at Spire in Washington, D.C. The theme of the summit, sponsored by Thales eSecurity, was “IT Modernization: The New Cyber Agenda.”
The roundtable, including more than a dozen IT and cyber leaders from government and industry, explored the business drivers, challenges and evolving strategies around cybersecurity in government. The discussion was wide-ranging, but repeatedly came back to the necessity of data security.
Under the rules of the roundtable, the content of the discussion was not for individual attribution, except for two formal presentations that set the stage. But here are six take-aways that distill the thrust of the discussion.
1. Cybersecurity has always been about the data
In one of the opening presentations, Jim Quinn, the lead systems engineer for the Continuous Diagnostics and Mitigation program at the Department of Homeland Security, discussed how CDM is pivoting to help agencies focus on data-level security.
But the new emphasis on data-level security across government reflects a change in means, not ends. The goal has always been to protect information, said Quinn. What’s different now is that cyber efforts are beginning to put controls closer to the data itself, rather than focusing on the perimeter.
2. The urgency around data security is increasing
Over the years, the federal government has developed a wide range of cyber policies, programs and technologies, yet data breaches are occurring with increasing frequency.
The 2018 Thales Data Threat Report, Federal Edition, notes that 71 percent of agencies have been breached, which is a threefold increase from three years ago, said Peter Galvin, Thales eSecurity’s chief strategy officer, in the other opening presentation.
And the data environment only continues to grow more complex. Cloud containers, big data, the Internet of Things and digital payments are helping to transform the federal IT enterprise, but they also introduce new vulnerabilities that must be addressed, Galvin said.
3. Cyber sometimes is still seen as an impediment (but it’s not)
There is a certain logic here: In modernizing their systems, agencies often are looking to make information and services more readily available to citizens and other stakeholders. So why invest so much money in trying to protect it?
“We’re giving away the data,” said one participant. From that perspective, “cyber gets in front of the mission.”
Another participant pointed out that the current push for modernization also makes it difficult to ensure cybersecurity gets appropriate attention. IT leaders are focused on “adding more and more capabilities and systems” to support the mission. But they need to understand that “protecting data is part of the mission.”
4. The role of compliance is…complicated
The roundtable discussion included a lively conversation about the role of compliance. Both government and industry participants agreed that people often mistakenly assume that if they comply with all applicable cyber policies and standards, their systems are secure, and so they don’t understand why data breaches keep happening.
What they need to realize is that compliance generally establishes a baseline for security—the least that should be done—and provides no guarantee that systems won’t be breached. Agencies that focus all their time and energy (and budget) in meeting various mandates will have trouble keeping up with evolving cyber threats, roundtable participants agreed. “We need to break the compliance bubble,” one said.
Still, one administration official pointed out that compliance was still necessary—that while not sufficient, some agencies still need that “nudge” to establish a cyber baseline on which to build.
5. Agencies must own their cyber responsibilities
Commercial cloud services offer agencies a lot of flexibility in how they acquire, manage and deliver information and services. They also have a wide range of options for securing those services, from buying point products to using managed services. But one thing has not changed with the cloud: When it comes to ensuring data security, agencies are still the responsible party.
Often IT developers fail to remember that, said one participant. They think that when they put services in the cloud, “they’re transferring risk to someone else.” This is why training is important, the participant said.
Ultimately, said another participant, agencies need to approach data security at the enterprise level, putting in place consistent policies, processes and technologies across the board—and to ensure that data security remains a top priority.
6. Data security is a matter of law
As noted earlier, cyber policies and strategies have changed a lot in recent years—most recently with the focus on data-level security. But Quinn reminded everyone that data security is not just a matter of policy: It’s written into U.S. law.
The U.S. Code specifically directs agencies to ensure the confidentiality, integrity and availability of government data, Quinn said, citing 44 U.S.C., Sec. 3542. Policies and strategies will continue to evolve, but the law remains the same.