Operational security drives mission results
- By Stan Lowe*
- Feb 22, 2019
What does cybersecurity operational “excellence” look like for federal agencies? Traditionally, cybersecurity has been a compliance-driven activity, with agencies focusing more on complying with regulations -- and showing they’ve done so -- than actually securing government from operational threats.
Today, the goal is to shift to operational security as the federal government works to modernize IT and improve efficiency. Modernization requires implementing cloud-based applications, but it adds complexity, making cybersecurity compliance even more onerous and confusing. Too often, agencies are left to make individual decisions based on their understanding of compliance as it relates to the cloud. For the mission areas, compliance is often viewed as an obstacle to go around, over or underneath.
The reality is that most agencies are good at compliance (because they’re forced to be), but they must begin to shift their focus to operational security. Against this backdrop, the Federal Risk and Authorization Management Program and the Continuous Diagnostics and Mitigation initiative give every agency the ability to significantly improve their security posture -- if they use them.
FedRAMP is reducing risk with a “certify once, use many” approach. Agencies take advantage of cloud applications and data in a known, certified, tested and accredited environment without having to take the certification steps themselves. By reducing risk and putting more consistent security controls in place across government, agencies can focus on securing the mission and achieving operational excellence -- the real goal for agencies implementing cloud technology.
The Department of Homeland Security's CDM program offers cyber capabilities “as a service” to agencies -- level-setting the tools agencies use and providing a holistic view of threats faced across government and reducing costs through volume acquisitions. And, most important, CDM provides clear steps to put operational security into action. The CDM program continues to evolve, and many believe agency performance will become part of a grading component for the House Oversight and Government Reform Committee’s Federal Information Technology Acquisition Reform Act scorecard.
Together, FedRAMP and CDM offer the opportunity to implement operational security and reduce cyberthreats. The challenge: adoption is too slow.
A December 2018 Government Accountability Office report that evaluated federal information security maturity found 17 of 23 inspectors general reported their agencies’ programs were not effectively implemented. Most of the 23 agencies had not fully implemented CDM Phase I and II tools and services. The report noted that until agencies “more effectively implement the government’s approach and strategy, federal systems will remain at risk.”
The point of compliance-focused legislation like the Federal Information Security Management Act was to focus agencies’ attention on developing and implementing a cyber program and proving that they did so. That goal has been achieved. Today, we need to shift our focus to operational security. This requires transformational change to both how we think about the network and cyber as we work to meet evolving federal missions -- leveraging the cloud to efficiently adding services. It’s more than any single agency can track alone, and it's why the FedRAMP and CDM programs are so important.
Once an agency achieves the basics of operational security, compliance naturally follows. We are moving in the right direction. If agencies use the programs in place, we can collectively reduce cyber risks across government and implement modern solutions to drive operational excellence.
Stan Lowe, a cybersecurity and technology executive, has successfully led transformational change in large, complex environments, as well as small and mid-size cybersecurity and IT organizations.
As Zscaler Global Chief Information Security Officer, Stan oversees the security of the Zscaler enterprise and works with the product and operations groups to ensure that Zscaler products and services are secure. Part of his focus is to work with customers to help them fully utilize Zscaler services and realize the maximum return on their investment.
Prior to joining Zscaler, Stan served as the VP & Global Chief Information Security Officer for PerkinElmer, where he was responsible for global enterprise security and privacy. He has also been a Cyber Security Principal at Booz Allen Hamilton.
Stan has extensive federal experience, serving as the U.S. Department of Veterans Affairs (VA) Deputy Assistant Secretary for Information Security, Chief Information Security Officer, and Deputy Chief Privacy Officer, as well as Deputy Director of the Department of Defense/VA Interagency Program Office. Before joining the VA, Stan served as Chief Information Officer of the Federal Trade Commission. Stan’s public service record extends to the U.S. Department of Interior in the Bureau, the U.S. Postal Service Inspector General, and the U.S. Navy.
Stan has also served as an executive in several technology startups, and currently serves on several boards advising on cybersecurity. He is a frequent speaker and writer on security topics.