Agencies' big security weakness: Lack of money and people

Hord Tipton, executive director of (ISC)2, the International Information Systems Security Certification Consortium, had a five-year stint as chief information officer of the Interior Department and also was CIO of the Bureau of Land Management. He was the first CIO to earn (ISC)2’s Certified Information Systems Security Professional credential, and he was the first to certify systems that complied with the Federal Information Security Management Act.

“I think I’m one of the few people who have worked this from both sides,” Tipton said of his experience with certification and accreditation and the use of continuous monitoring tools. — William Jackson

GCN: The revised Certified Authorization Professional, formerly the Certification and Accreditation Professional, credential reflects changes in government guidelines for risk management. How significant are those changes?

Tipton: The emphasis now on continuous monitoring sometimes is seen as being a silver bullet, when in reality, it is not a real change at all. As far back as six years ago, continuous monitoring was a requirement, and it’s always been in the [National Institute of Standards and Technology] guidelines. The harmonization of requirements between the defense and intelligence community and the civilian agencies is really a good thing.

Having studied both the civilian and defense pieces of this, the intent in authorizing and certifying systems was always the same, but there are a lot of different terms. It comes down to definitions and labels you put on things. When you get down to the individual components, things are really not that complicated. The basics for providing good, sound security have not changed. They have been clarified and tweaked. With all of the talk about how horrible FISMA is, if you look at it closely, there [are] still a lot of good things in there; 80 percent of the content is still relevant.

Related stories

Next steps for continuous network monitoring

Continuous monitoring guidance under way at NIST

What are the strengths of continuous monitoring?

The intent from the beginning for continuous monitoring has been the same, and that is to make sure you are up-to-speed and know as much about the status of your system as you can. My intent…was to constantly find ways to move us from a reactive mode to more of a predictive mode. If you think about it today, we know about all the things we have to do to mitigate once we’ve been had, and we often don’t talk about the things that are stopped in the preventive mode through good monitoring. But by and large, I don’t think we can say we have reached the point where we are able to predict what is going to happen.

What are the weaknesses of continuous monitoring, and why are we not closing the gap between reactive and predictive security?

The reason continuous monitoring hasn’t worked the way we think it should have worked over the last six years is essentially because there were very few people complying with it. That is not a criticism of them; I was there. It was just difficult to find resources and people and the skill sets that you needed. There quite frankly are not real consequences for not having those things in place. And they weren’t really well-defined from [the Office of Management and Budget]. What is continuous? Is it measuring your system once a year and reporting?

About the best that we could do were vulnerability scans, network scans and then the [inspector general] would do penetration tests. So you had all those things going, but I would be hard-pressed to say that I got much monitoring on my system short of monthly. That was because we had to do reports on vulnerabilities, including mitigating actions and how much is it going to cost you. Mine were in the millions of dollars, and I had thousands of dollars. That forces you into a position of having to take more risks.

Are we at the point now where we can begin to close the gap?

That’s hard to say. The thing that scares me, having lived in government as long as I have, is that often there is a tendency, due to not having the resources, that you don’t do as good a job as you really would like to do. I came to the conclusion that I’ll never have enough money or people to do the things that I would like to do to make me sleep well at night. You make the best of what you can with what you have.

I still have a concern that we have a tendency in government to jump to the silver bullet. There are some things that can happen that are not necessarily good if you drop everything else and decide that continuous monitoring, for example, is the answer for all of FISMA’s sins. That is pretty dangerous thinking because it deviates from the holistic point of view of managing security. If there is anything that all of us should have learned over the last 10 years, it’s that silo-based security will not work. You can’t depend on your IT people and security specialists to take care of you.

What are the components of IT system security?

I could name about 200, [but] let’s focus on the top. No security systems can be on good, solid ground without an inventory of all the systems and the endpoints that you have. You would be surprised how many entities don’t have adequate asset management systems. If you don’t know where your systems are and you don’t know the endpoints and you don’t know who is on your network, you are doomed before you ever get off the ground. In my case in Interior, by spending about $3 million on five different types of asset management systems scattered through eight different bureaus, I could save $5 million and get that money back in less than a year. And yet I couldn’t find $3 million. Things like that have to change.

The second thing, your security has to be baked in from the beginning. Another element that cannot be overlooked is your data. The whole reason that we manage systems is the data. It must be properly classified. If it is not classified you cannot determine what your risk is. And you have to have a process for risk assessment.

And then there is accountability. You have to have your business people, your system owners plugged in to what security is all about. And you’ve got to have skilled personnel throughout all cycles of managing this, from the beginning down to the continuous monitoring. You have to have people who can read the data. If you don’t have people who are plugged in and know what to do once the information comes across and what it means, then you still haven’t succeeded.

Most of what you have talked about is included in FISMA. Is there much that needs to be changed in regulations at this point?

You can’t legislate success. At one time, Willy Sutton robbed banks because that was where the money was. And now hackers rob networks and steal intellectual property because it all runs on wires. We are never going to eliminate this. It is not a zero-sum game at all. It’s a matter of making sure that we protect the stuff that is most important to us. We have lots of laws, and you have lots of laws and regs that people ignore. You can authorize a whole lot of things, but then there is the other side called appropriation, and all too often, those pieces don’t come together. That’s why you end up in many cases with noncompliance.

What were the most valuable lessons you learned during your tenure as a CIO?

You’ll never have enough money or people to do all the things that need to be done. And this is in large part because the smarter you get, the more problems you can find. You’ve got to do what you can with what you have. It’s not going to be what you need. And the squeaky wheel does really get the grease. If you don’t have a catastrophe — I hate to say it, but those are beneficial. We have to understand our budgets are put together through a very competitive process. IT has to compete with programs, and politicians come to town to see programs, they don’t come to town to see IT. So we have to convince them early on that not only is IT a business enabler, but secure IT is essential.