By Teddra Burgess, SVP, Public Sector, Tanium
There’s been no shortage of criticism around President Biden’s new $773 billion defense budget. That’s no surprise, as federal budgets always draw attention – and provide ample opportunity for political posturing and finger-pointing – regardless of the actual figures involved.
Numbers aside, when it comes to America’s cyber defense, we should do our best to put partisanship on the shelf and seek multilateral ways to ensure our cybersecurity is strong and resilient.
Such concern extends far beyond the federal government: Ransomware and other criminal cyberattacks against targets like K-12 schools, municipalities, universities, and every conceivable private-sector industry are all on the rise, so we’re not faced solely with nation-state cyber warfare. In fact, criminal gangs have been waging war on consumer data and personally identifiable information (PII) for some time now. During the pandemic, threat actors took advantage of our increased vulnerability through global supply chains by ramping up threats and expanding attack vectors, which we believe will continue to climb throughout 2022.
The war in Ukraine has catalyzed interest in cyber readiness. But even those of us who have been preparing for cyber war over the last several decades are now reevaluating our toolkits to ensure complete preparedness should we need to engage in a full-scale cyber conflict. Cyber warfare may be a relatively new type of war but preparing for it should be no less urgent than preparing for physical combat.
To do that, there are four major components of cyber preparedness that government agencies and military branches should address: intention, cyber hygiene, controls, and people.
Why Intention Matters
When Dwight Eisenhower gave his landmark speech on the dangers of the military industrial complex, he spoke of the need to find agreement on contentious issues and to exercise good judgement by striving for balance and seeking progress. He astutely remarked that the lack of good judgement eventually leads to imbalance and, unsurprisingly, frustration—a sentiment that’s all too familiar to modern-day chief information security officers (CISOs) charged with keeping their organizations—whether public or private—secure in the face of shifting attack vectors.
The past two decades have given rise to a thriving cybersecurity industrial complex not unlike Eisenhower’s military one. Yet despite the Hydra-like growth of security vendors, the thousands of new capabilities that purport to control for risk levels, and the attendant rise in spending on security-related products and services, attack vectors keep growing. As they grow, they contribute to often unnecessary spending to maintain an already costly security infrastructure.
As a result, it’s important to rethink and retool the solutions we have and the approaches we use to better understand what our current security investments are delivering, whether their results are still relevant, and what gaps still exist. Do we have proper controls in place? Can we scale in real or near-real time to meet challenges as they surface? Are our existing tools truly delivering on their promises? At the end of the day, it’s crucial that organizations think through and continuously assess their tech stack or they’ll find they’re not only wasting budget, but risking much more.
We’re behind in some areas and can do better; we are not as prepared globally as we might be. But we do have strong cybersecurity leadership and the right intentions to meet today’s challenges. Attacks today are more complex, layered, and targeted. Threat actors have shut down meat packing plants, disrupted critical infrastructure, and ransacked government agencies. We’re now also facing the implications of nation-state cyberattacks; the potential disruption of satellites and communications systems, of utilities like water, oil, and electricity. There are threats to physical and cyber defenses as well as the potential onslaught of misinformation campaigns designed to cause chaos and confusion. Nothing is off the table: Attackers will strike wherever it hurts us the most.
President Biden’s budget proposal is a step in the right direction, but debate continues around whether it’s big enough and where the dollars are going. That’s where intention gives way to results.
Getting back to basics
Hackers don’t need brute-force tactics to break into network and data assets: they can, and often do, login with stolen or compromised credentials. They exploit weaknesses in third-party software. They even con employees into doing the dirty work for them. Government agencies are rightly focused on decreasing these risks, reducing technology complexity, achieving better compliance, and doing whatever else it takes to prevent sensitive data breaches.
But that’s not enough. Agencies must first understand what lives in their own environments: What are their IT assets? How many devices connect to their agency? How many servers? What’s on the network? What’s in the cloud? What tools are configured on devices and other endpoints? Are the tools configured correctly? Can they see absolutely everything in their environments and make real-time changes with up-to-the-second data?
If there’s even a whiff of uncertainty about the number of assets or the software that runs on them, tech leaders must perform a comprehensive risk assessment. There’s no way to protect what you don’t know you have, so teams must inventory and validate all IT and security assets.
It may help to keep in mind that 79 percent of organizations recently surveyed report widening visibility gaps in their cloud infrastructure, while 75 percent found the same problem across end-user and IoT devices. Similar gaps exist across federal, state, and local agencies, making it imperative for them to know their assets intimately — including every piece of software that runs on them at any given point in time.
After an agency has absolute clarity into its assets, the next step is to secure all its endpoints, whether laptops, PCs, or virtual machines in the cloud, using prevention-first solutions. If agencies approach cybersecurity like much of the private sector does, focusing on detecting and responding to threats, or trying to overcome basic deficiencies with tools, they will not keep their endpoints or their data secure. An ounce of prevention is worth a pound of cure.
The final step, after an agency has identified and inventoried all its assets, is to continuously maintain a clean, secure environment — and that means creating a process for updating software and deciding who’s responsible for installing patches, for running vulnerability scans, and for determining how issues, once discovered, are remediated.
There are an average of 50 common vulnerabilities and exposures discovered every day. Software developers are constantly updating their code, which means that annual or even quarterly scans of patches and updates just won’t cut it. Daily scanning won’t get the job done either, because a single scan will miss the 49 others that surface every 24 hours. Agencies must continually seek out and identify blind spots to stay genuinely protected.
Compliance fails without proper controls
Mastering the basics of cyber hygiene boosts resilience across the board. When agencies get into the habit of thinking that adhering to compliance standards alone provides security, they lose their cyber resilience.
To ensure resilience, agencies must establish controls in addition to compliance standards, while cyber hygiene will include vulnerability patching, comprehensive asset management, user education, email protections, and improving password habits. As the post– mortem of every breach shows, human error almost always plays a role. Even compliance standards can’t eliminate people from the equation. If compliance alone can’t prevent an attack, it can’t be an agency’s security strategy either.
The good news is there’s clear guidance for agencies looking for direction on exactly what controls to put in place. From the National Institute of Standards and Technology (NIST) to the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA), there are countless free resources for those seeking best practices, tools, and frameworks to set them on a path to success.
To succeed in cybersecurity, diversify the team
With all our many shortcomings, humans remain a critical component in the defense against threat actors. As the cyber landscape evolves, IT and security teams must also evolve. Cybersecurity teams must use creative problem solving and diverse ideas and tactics to meet emerging threats. Unfortunately, limited viewpoints create a barrier to a team’s ability to mitigate and respond to attacks comprehensively.
Teams are stronger when they leverage the power of their similarities as well as their differences. Problem solving, strategic planning, and innovation all benefit from diversity and inclusion. Importantly, diversity drives innovation. As Dr. Telle Whitney, a computer scientist and pioneer on the issue of women in technology, said, “When we limit who can contribute, we in turn limit what problems we can solve.” Wise words that point to a fundamental challenge we’re now facing, one that can and must be solved if we don’t wish to stifle innovation.
Gender diversity has proven critical for organizations of all types across decision-making, problem solving, and collaboration. Gender diverse companies are 21 percent more likely to have above average profitability, and companies employing an equal number of men and women manage to deliver up to 41 percent higher revenue. Diverse teams are 87 percent better decision-makers than individuals. Research suggests that gender diversity efforts could boost the global GDP by $28 trillion if the global workforce became equally gender-diverse by 2025.
Budgets only matter as much as the intentions behind them. Republicans and democrats can debate line items for months to come, but that would be wasted time when we consider our current cyber threat landscape. We have the right tools at our fingertips to improve public sector cyber preparedness – it’s just a matter of getting those tools in the hands of the right people and putting the controls in place to ensure they don’t fail. President Biden was right on at least one point: “We need everyone to do their part to meet one of the defining threats of our time.” Our vigilance and urgency today can prevent – or at least lessen the severity of – attacks tomorrow.
About the Author
Teddra Burgess is the Senior Vice President, Public Sector at Tanium, and is a seasoned expert with over two decades of broad industry expertise. Over the course of her career, Teddra has been instrumental to the success of several high-profile technology companies including Hewlett Packard, Micro Focus International, CA Technologies, SAI Global, and ASG Technologies where she served as VP of Northeast and US Federal Sales.
An advocate for advancing women+ and people of color in technology, Teddra joined Pipeline Angels, an organization changing the face of angel investing by creating capital for women+ founders, as an independent investor in 2019. In 2020, she earned an Executive Certificate in DE&I from Cornell University, and is active in a variety of community and professional organizations including Women in Technology, AFCEA, the NAACP and Mocha Moms, Inc. She is also a member of Delta Sigma Theta Sorority, Inc.