Innovations that strengthen cybersecurity
- By Amanda Ziadeh
- Jan 26, 2016
What: ACT-IAC’s “Strengthening Federal Cybersecurity: Results of the Cyber Innovation Ideation Initiative” -- a distillation suggestions from the cybersecurity community presented to U.S. CIO Tony Scott.
Why: In light of recent breaches in both public and private sector organizations, ACT-IAC assembled recommendations from industry, government and academia on ways agencies can strengthen cybersecurity programs.
Findings: The report addressed security challenges in a few key areas, such as lack of communication between cybersecurity professionals and agency business executives, threat information sharing and cybersecurity-related training. From the nearly 200 ideas submitted, ACT-IAC provided eight broad recommendations:
Focus on fundamentals. Agency leaders should take a methodical, deliberate approach to cybersecurity, ensuring they have accurate and continuously maintained inventories of all IT assets and security controls, follow security standards and increase staff accountability.
Secure business systems. Agency business program managers must understand the cyber risks in their day-to-day operations, and improve asset management and access controls across business systems.
Speed breach response. Agencies need effective breach response plans and procedures that include “signature-based” techniques, penetration testing, breach awareness technologies and greater staff awareness.
Adopt multilayered security. To improve breach resilience, agencies should focus on protecting data and tracking data exfiltration, rather than just enterprise security architecture, and transition to a “network of secured systems.”
Share threat intelligence information. To minimize risk most efficiently, agencies should share threat data with the vendor community and other agencies, standardize threat-data sharing processes and encourage easier sharing practices.
Modify cyber talent search. Agencies should use internships and outreach programs to target high school and college-level talent, look for individuals already familiar with agency technology (both inside agency IT offices, and outside through hackathons and high-profile cyber conferences) and focus on performance-based training and skills.
Make risk management an executive-level responsibility. The report recommends that agencies transition from a compliance-focused approach to a risk management-focused one by implementing a cybersecurity governance framework with guidelines that integrate with organizational business models.
Build security into acquisition. Agencies are urged to opt for a process that is agile, dynamic and responsive to procure services and capabilities, such as cloud or software-driven infrastructures.
Read the full report here.
Amanda Ziadeh is a former reporter/producer for GCN.