The new year will see a convergence of IT security and operations, as agencies spread responsibilities across IT departments and security tools become integrated into software lifecycles earlier .
Two powerful trends will shape the government cybersecurity agenda in the coming year, say security experts, but they have more to do with how government security is managed than what technologies will better defend agency systems.
First, cybersecurity will increasingly be integrated from the start into the platforms and software being acquired and developed by agencies. This means that perimeter defenses – already abandoned to the realm of what is necessary but inadequate – will receive less attention as cybersecurity becomes more integrated into the government infrastructure.
Also, cybersecurity will no longer be considered the exclusive province of the CISO or the CSO, but will become a professional requirement for everyone responsible for IT services to the agency. “As a security vendor, we are ending up in conversations with the IT shop,” rather than just the security shop, said Ken Ammon, chief strategy officer for Xceedium, an identity management company. “Next year will be the year of convergence.”
That outlook is backed up by a study by the National Association of State Chief Information Officers and consulting firm Deloitte that found as CISO responsibilities evolve to include risk and compliance, many CISOs are also become accountable to a range of other areas. “CIOs and state leaders need to consider creative ways of allocating and managing these expanding responsibilities,” said NACIO.
The upshot: The new year will see an increased blending of security and operations in IT.
This integration of security could help take some of the sting out of the expected downtick in cybersecurity spending in the coming year, down from $1.44 billion in fiscal 2014 to $1.41 billion requested in the president’s FY 2015 budget request. And as CSOs move from merely overseeing regulatory compliance to getting a seat at the table for IT system design, it will become more difficult to break out dollars that are going specifically to cybersecurity.
The budget recognizes that “cyber threats are constantly evolving and require a coordinated, comprehensive and resilient plan for protection and response,” and includes $680 million for basic research, including cybersecurity, at the National Institute of Standards and Technology.
There also is $549 million to support the Homeland Security Department’s EINSTEIN intrusion detection and prevention system and $35 million to co-locate civilian cybersecurity agencies at a Federal Cyber Campus.
The threats facing agencies are becoming more complex and serious, continuing a multiyear trend toward stealthy, long-term attacks that are discovered only long after the damage has been done. The average time to discover a breach now is about 250 days, and most are discovered by a third party rather than by the victim, said Rob Roy, federal CTO for HP Enterprise Security Products.
As these breaches are discovered, it is becoming clear that the human factor in security requires more attention spearphishing and other forms of social engineering, which now are common vectors for malware. This problem is highlighted by the most recent Federal Employee Viewpoint Survey, which shows growing disengagement and dissatisfaction among government employees. The global satisfaction index was flat at a disappointing 59 percent for 2013, and IT specialists scored lowest on employee engagement and satisfaction.
“It shouldn’t be a surprise when you see survey results like this,” Paul Christman, public sector vice president at Dell Software, said of the growing role of humans in IT breaches. Cybersecurity requires a holistic approach that includes cost-effective training both for IT specialists and for end users.
The government’s security travails will have some impact on demand for new tools and agency IT acquisition decisions.
While the adoption of cloud computing will continue to expand in 2015, the benefits of the hybrid cloud model – a combination of secure private cloud for sensitive data and critical functions and a more flexible and economical public cloud for public facing information – could be more attractive as administrators balance flexibility with security.
According to a pair of recent vendor reports on cloud computing, improved security is a primary reason for moving to the cloud, with nearly two thirds of government respondents in a survey commissioned by General Dynamics Information Technology citing secure infrastructure as a top benefit. At a same time, a survey commissioned by SafeNet found that IT security professionals feel they are losing control of data in the cloud.
These apparently conflicting results show that securing the cloud is possible and practical, but that greater emphasis is needed on governance and establishing policies for using and managing cloud computing. “There is no doubt” that use of everything the cloud has to offer will continue to expand, said SafeNet CSO Tsion Gonen. “That is not surprising.”
To enable this continued expansion, cloud providers will develop better solutions for separated cloud functions, allowing better segregation of management of infrastructure and control of data. This will include a separate layer of cryptography managed exclusively by the cloud user to give more complete custody of data. “All cloud providers have or will offer this,” Gonen said.
One tool for providing the necessary level of security for data and other resources is the hybrid cloud, a combination of a secure private cloud for sensitive data and critical functions, and a more flexible and economical public cloud for public facing information.
“You hear a lot about hybrid cloud,” said Damian Whitham, senior director of cloud computing solutions and General Dynamics IT. But so far there has been little practical implementation of it. Government has focused primarily on the private cloud, with some public cloud use, with only 27 percent of agencies using a hybrid model. “They are trying to crack the code of implementing it,” Whitham said.
With much of the low-hanging fruit of cloud computing now gathered, agencies will be paying more attention to how to match business objectives with cloud offerings to achieve their goals of reducing IT costs, becoming more flexible and efficient, reducing their carbon footprints and ensuring the security and privacy of data.
“We need to get more stakeholders involved,” Whitham said. “Including the operational side, not just IT.”