While Federal government cybersecurity dominates news headlines this year – from the Biden administration’s executive order (EO) to the spate of high-profile attacks on government and private sector targets – Federal government chief information security officers emphasized this week the importance of tried and true best practices, current tooling, and workforce education in the campaign to improve defenses.
“Cybersecurity has become more prevalent, and we see that not just with the EO, but in the actions that many in the Federal space are taking,” said Gerald Caron, CIO and assistant inspector general for IT at the Office of the Inspector General for the Department of Health and Human Services (HHS), during a keynote address at an ATARC event on October 14.
That activity, he said, spans “guidance from the Office of Management and Budget, interagency memos on cyber hygiene, and even the adoption of a zero-trust strategy.”
Federal CISOs speaking at the event agreed that understanding what is going on at every level of an agency’s cyber practice is a vital step to maintaining secure networks.
Davon Tyler, CISO for the U.S. Mint, emphasized that the success of any cybersecurity best practices or security infrastructure depends on every employee in the agency – even those in non-tech positions – understanding requirements and taking appropriate actions.
“Properly educating the entire staff and making sure that everybody understands the larger purpose and their piece, even if it’s a small piece, are all equally important and crucial to implementing cyber practices,” Tyler said. When the U.S. Mint underwent a shift to a zero-trust infrastructure, the agency ensured every staff member understood the new set-up and their roles in this new ecosystem, he added.
Robert Wood, CISO and director for the Centers for Medicare & Medicaid Services at HHS, pointed out that sometimes Federal agencies are quick to adopt and invest in the newest shiny security software on the market, but emphasized, “that is not always going to get you what you need.”
“There is a tendency in our field to add more and more stuff when a challenge or problem comes up,” he said, Instead, “we need to look at the tools we have at hand. And when we do, we’ll find that we have a lot more than we think. And some cases we might want to reinvest in some capabilities.”
Tyler agreed with Wood’s recommendation, saying, “there’s a bunch of [tools] we already have that could do the job. All it takes is properly configuring them to get the job done.”