For agencies pursuing new ways to share and manage data, Government Accountability Office (GAO) Director of IT and Cybersecurity Nick Marinos recommends focusing on the agency’s mission and incorporating security early on in the process.
At Veritas Public Sector Vision Day on Dec. 10, Marinos said that agencies attempting to comply with the Federal Data Strategy often skip the first step of recognizing how data fits into the agency mission. A scan of what data is available, and what it’s used for, can help an agency integrate security into its data management processes, Marinos explained.
“Thinking upfront about ‘what data do we actually have?’ and ‘what do we use the data for?’ are really the most important questions to ask even from a security and privacy perspective,” he said.
At GAO, audit teams will map out the flow of information within an agency. These flowcharts create a strong awareness of data touchpoints and, therefore, possible security precautions.
“It’s no shock to anyone that we have operated in a culture where security gets bolted on after the fact,” Marinos said. “Oftentimes we end up seeing the chief information officer not truly empowered or aware.”
To mitigate this, the GAO official emphasize the importance of collaboration. Marinos said that bringing in folks outside of the CIO’s office to share their security considerations can help ensure that all fronts are protected. It can also help the CIO stay more informed about the breadth of agency needs.
“Ultimately, there are a lot of efficiencies to be gained if stakeholders are talking to each other… The important piece is whether all of those stakeholders have a voice in the decisions being made,” he said.
Marinos also advocated for the value of a zero-trust approach to data cybersecurity, but said it was important to consider where the data resides and possible conflicts with government wide initiatives.