Trickle-Down Security

Agencies are looking at cybersecurity in a new way. Vendors, too.

As security threats have become more sophisticated, government agencies are under more pressure to improve cybersecurity. Companies providing cybersecurity products and solutions are feeling it, too, including expectations that they have a breadth of product and application experience that wasn’t required in the past.

 Alyssa Miller, manager of security management at CDW•G, has noted the change. “There’s definitely been an improvement in the understanding of our customers in what they need,” she says. “It used to be they’d be looking for a specific tool or penetration test, now they want to understand such things as Secure Software Development Life Cycle (SDLC) and how we incorporate security into any development we do for them.”

At the project level, involving supply chain protection and development of new technologies by external suppliers, government acquisition professionals are asking IT providers to more closely scrutinize the manufacturers and developers of technology used by government.

Many agencies simply don’t have the expertise to fully vet their suppliers or even their own processes against the volume of regulations they must comply with, Miller says. They go to contractors such as CDW•G to augment that and offload a lot of that work.

“That’s a real shift in mindset from even five years go,” she says.

If government follows the recent Mitre report on supply chains, “Deliver Uncompromised,” agencies would be encouraged to incorporate security into their business processes. Risk-based security should be viewed by providers as a profit center for the capture of new business rather than an expense that hurts the bottom line, Mitre says.

DOD, through its recently announced supply chain program, is taking the lead on this. “While DOD cannot control all the actions of its numerous information systems and supply chain participants,” the Mitre report explains, “it can lead by example and use its purchasing power and regulatory authority to move companies to work with DOD to enhance security through addressing threat, vulnerabilities, and consequences of its capabilities to adapt to dynamic, constantly changing threats.”

For both vendors and government agencies, it really comes down to them understanding that security is “not a thing you do or implement,” Miller says. “Security is a mindset and a way of doing business, a constant everyday approach.”

 

The CDW•G Approach

CDW•G’s advantage is a breadth of expertise that boutique providers don’t have. That gives it a broad sense of an organization’s needs and how to apply that insight to build custom solutions that fit the specific security needs of an agency. The alternative is to shoehorn standard products into a one-size-fits-all solution. CDW•G takes a four-step approach to each project:

Assess: Evaluate business objectives, technology environments and processes; identify opportunities for performance improvements and cost savings.

Design: Recommend relevant technologies and services; document technical architecture, deployment plans, “measure of success,” budgets and timelines.

Deploy: Assist with product fulfillment, configuration, broad-scale implementation, integration and training.

Manage: Proactively monitor systems to ensure technology is running as intended; provide support when and how you need it.