CISOs debate the need for shared services
As the federal government grapples with the twin challenges of upgrading its IT systems and improving its cybersecurity posture, shared services could be an answer to both, some information security officials say.
A recent survey showed that stronger cybersecurity is the top benefit that federal IT professionals see in their modernization efforts. How those systems protect data, which is being accessed by more people, becomes the central question, especially when some data has a higher value than others.
For Jeff Eisensmith, chief information security officer at the Department of Homeland Security, the answer is not in a spate of individualized cyber tools tailormade for agencies but instead in the proposed move to shared service providers.
“If you are a department, and it’s a loose confederation of agencies, and everyone is doing their own thing, and you have 17 of them, how many systems do I have to secure? How many ways can someone get at me,” he said, speaking on a panel at the IT Modernization Conference @930gov Wednesday. “I think the part of IT modernization, as well as the cybersecurity executive order, as well as everything else, is that we should be acting more like departments and not like individual agencies.”
Shared services are central to the White House’s IT modernization and cybersecurity strategies, not only from an economic standpoint but also as a way to develop a stronger security posture.
“There are economies of scale that save money and there is a shrinking of the attack surface if we do these shared services,” Eisensmith said.
But for agencies looking for new IT solutions, while a network of disparate systems leaves them more open to attack, one size of protection may not always fit all. So IT leaders will have to look not only for more efficient systems but also how they can adjust them to their specific mission needs, including the growing access to their data.
“When you are talking about cloud [computing] and when you are talking about network, what’s really changing is how are your applications working, how is your data being used and touched,” said Christopher Lowe, CISO at the Department of Agriculture.
“The rate of change around the application space far exceeds out the ability to keep up with it,” he said. “What we are looking at is how to come up with a security model that focuses on the data owner. Because that is really the only way to have a conversation about risk.”
One way to do that is for leaders to start from a strong, common foundation and to build individual protections from there, said Shon Lyublanovits, IT security category manager and director of IT security services at the General Services Administration’s Office of Information Technology Category.
“Is there like data? Is there a sort of baseline where we can provide standard language we can provide agencies and let them prepare their own requirements on top,” she said. “Making sure the terminology makes sense to everyone and that we are all speaking the same thing, because if we have two like systems and classify them differently, I’m introducing additional risk, he’s introducing additional risk and we are not really getting anywhere.”
Lyublanovits added that the fallout from the 2015 breaches the Office of Personnel Management shows that cybersecurity is now a team effort to address what tools agencies need.
“When the OPM incident happened, that was a shift I saw in government where we all sat down to the table together and started looking at our risk as a federal government,” she said. “I think we have to continue this conversation when it comes to developing these risk profiles.”
“It can’t be, ‘What am I doing within my organization, what are you doing in yours?’ It has to be a conversation, that’s how we get the CIO, the chief financial officer, the chief performance officer to sit down and talk to each other and give you the tools you need to implement what you need within your departments,” Lyublanovits said.