Agencies' big security weakness: Lack of money and people

The problem with government IT security is not so much a lack of adequate regulations but a lack of resources to ensure that agencies practice good security, says former Interior CIO Hord Tipton.

Hord Tipton, executive director of (ISC)2, the International Information Systems Security Certification Consortium, had a five-year stint as chief information officer of the Interior Department and also was CIO of the Bureau of Land Management. He was the first CIO to earn (ISC)2’s Certified Information Systems Security Professional credential, and he was the first to certify systems that complied with the Federal Information Security Management Act.

“I think I’m one of the few people who have worked this from both sides,” Tipton said of his experience with certification and accreditation and the use of continuous monitoring tools. — William Jackson

GCN: The revised Certified Authorization Professional, formerly the Certification and Accreditation Professional, credential reflects changes in government guidelines for risk management. How significant are those changes?

Tipton: The emphasis now on continuous monitoring sometimes is seen as being a silver bullet, when in reality, it is not a real change at all. As far back as six years ago, continuous monitoring was a requirement, and it’s always been in the [National Institute of Standards and Technology] guidelines. The harmonization of requirements between the defense and intelligence community and the civilian agencies is really a good thing.

Having studied both the civilian and defense pieces of this, the intent in authorizing and certifying systems was always the same, but there are a lot of different terms. It comes down to definitions and labels you put on things. When you get down to the individual components, things are really not that complicated. The basics for providing good, sound security have not changed. They have been clarified and tweaked. With all of the talk about how horrible FISMA is, if you look at it closely, there [are] still a lot of good things in there; 80 percent of the content is still relevant.


Related stories

Next steps for continuous network monitoring

Continuous monitoring guidance under way at NIST


What are the strengths of continuous monitoring?

The intent from the beginning for continuous monitoring has been the same, and that is to make sure you are up-to-speed and know as much about the status of your system as you can. My intent…was to constantly find ways to move us from a reactive mode to more of a predictive mode. If you think about it today, we know about all the things we have to do to mitigate once we’ve been had, and we often don’t talk about the things that are stopped in the preventive mode through good monitoring. But by and large, I don’t think we can say we have reached the point where we are able to predict what is going to happen.

What are the weaknesses of continuous monitoring, and why are we not closing the gap between reactive and predictive security?

The reason continuous monitoring hasn’t worked the way we think it should have worked over the last six years is essentially because there were very few people complying with it. That is not a criticism of them; I was there. It was just difficult to find resources and people and the skill sets that you needed. There quite frankly are not real consequences for not having those things in place. And they weren’t really well-defined from [the Office of Management and Budget]. What is continuous? Is it measuring your system once a year and reporting?

About the best that we could do were vulnerability scans, network scans and then the [inspector general] would do penetration tests. So you had all those things going, but I would be hard-pressed to say that I got much monitoring on my system short of monthly. That was because we had to do reports on vulnerabilities, including mitigating actions and how much is it going to cost you. Mine were in the millions of dollars, and I had thousands of dollars. That forces you into a position of having to take more risks.

Are we at the point now where we can begin to close the gap?

That’s hard to say. The thing that scares me, having lived in government as long as I have, is that often there is a tendency, due to not having the resources, that you don’t do as good a job as you really would like to do. I came to the conclusion that I’ll never have enough money or people to do the things that I would like to do to make me sleep well at night. You make the best of what you can with what you have.

I still have a concern that we have a tendency in government to jump to the silver bullet. There are some things that can happen that are not necessarily good if you drop everything else and decide that continuous monitoring, for example, is the answer for all of FISMA’s sins. That is pretty dangerous thinking because it deviates from the holistic point of view of managing security. If there is anything that all of us should have learned over the last 10 years, it’s that silo-based security will not work. You can’t depend on your IT people and security specialists to take care of you.

What are the components of IT system security?

I could name about 200, [but] let’s focus on the top. No security systems can be on good, solid ground without an inventory of all the systems and the endpoints that you have. You would be surprised how many entities don’t have adequate asset management systems. If you don’t know where your systems are and you don’t know the endpoints and you don’t know who is on your network, you are doomed before you ever get off the ground. In my case in Interior, by spending about $3 million on five different types of asset management systems scattered through eight different bureaus, I could save $5 million and get that money back in less than a year. And yet I couldn’t find $3 million. Things like that have to change.

The second thing, your security has to be baked in from the beginning. Another element that cannot be overlooked is your data. The whole reason that we manage systems is the data. It must be properly classified. If it is not classified you cannot determine what your risk is. And you have to have a process for risk assessment.

And then there is accountability. You have to have your business people, your system owners plugged in to what security is all about. And you’ve got to have skilled personnel throughout all cycles of managing this, from the beginning down to the continuous monitoring. You have to have people who can read the data. If you don’t have people who are plugged in and know what to do once the information comes across and what it means, then you still haven’t succeeded.

Most of what you have talked about is included in FISMA. Is there much that needs to be changed in regulations at this point?

You can’t legislate success. At one time, Willy Sutton robbed banks because that was where the money was. And now hackers rob networks and steal intellectual property because it all runs on wires. We are never going to eliminate this. It is not a zero-sum game at all. It’s a matter of making sure that we protect the stuff that is most important to us. We have lots of laws, and you have lots of laws and regs that people ignore. You can authorize a whole lot of things, but then there is the other side called appropriation, and all too often, those pieces don’t come together. That’s why you end up in many cases with noncompliance.

What were the most valuable lessons you learned during your tenure as a CIO?

You’ll never have enough money or people to do all the things that need to be done. And this is in large part because the smarter you get, the more problems you can find. You’ve got to do what you can with what you have. It’s not going to be what you need. And the squeaky wheel does really get the grease. If you don’t have a catastrophe — I hate to say it, but those are beneficial. We have to understand our budgets are put together through a very competitive process. IT has to compete with programs, and politicians come to town to see programs, they don’t come to town to see IT. So we have to convince them early on that not only is IT a business enabler, but secure IT is essential.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.