How the Energy Department uses asset management to drive cybersecurity
An IT asset management system for a government agency that employs more than 100,000 people should probably have more than three people working on it and should probably take longer than nine months to build.
Rick Lauderdale has proven otherwise.
Lauderdale, the Energy Department’s chief architect, has been spending the better part of 2014 refining a system that gives agency leadership an agile way to use the agency’s existing technology and phase out end-of-life software. While the primary focus of most IT management systems is lowering cost, Lauderdale’s system operates from a cybersecurity standpoint. As his team worked to integrate the program across the agency, they found that the platform’s security aspect set the table for all the other components of IT decision-making.
“No one has ever tied IT asset management to cybersecurity,” Lauderdale said during an interview with FedScoop. “I can tell you that our CFO office loves it, because now it’s allowing the stakeholders to look forward and try to predict what’s going to happen with the software and the hardware.”
The security focus comes from last year’s Energy Department hack, which compromised the social security numbers and birth dates of 53,000 former and current DOE employees. After Lauderdale determined the vulnerability was due to an out-of-date version of Adobe’s ColdFusion, he set out to create a system that mapped assets as well as managed the life cycles of all DOE assets.
Using a combination of enterprise portfolio management tool Troux and IT information repository Technopedia, Lauderdale has created a way for agency executives and the IT office to map out on-demand reports about potential vulnerabilities, redundant applications and measures that need to be taken to phase out end-of-life technology.
The system Lauderdale and his team set up allows stakeholders to create very granular data visualizations across the enterprise; managers can filter queries based on hardware manufacturers, phases, products and versions, then run it against Technopedia to determine safety, cost, further integration or a host of other filters. Earlier this year, the platform was key in helping DOE understand what Microsoft hardware products would need to be replaced as the company ended support for Windows XP.
Lauderdale said the system has allowed DOE to move away from being reactive about vulnerabilities and instead be more intuitive about asset management.
“It’s going to allow us to predict what is going to occur and then move forward aggressively to prevent any kind of vulnerabilities to the network,” he said.
While Lauderdale said this system “does not solve all the cybersecurity issues that are out there,” the size of the team that created the tool and the time frame within which the team created it has caught the attention of enterprises inside and outside the public sector. Lauderdale told FedScoop eight different federal agencies as well as private companies foreign and domestic have contacted him about the platform. It was also part of a case study recently published by market research firm IDC.
“[Asset management] has a huge gap that is both in industry and government, and that’s going to help them close it,” Lauderdale said.
Yet even with the provided agility and amount of information that can now be uncovered, Lauderdale said it’s still up to people to make sense of the data the platform can unearth.
“You’ve got to be smarter than the data,” Lauderdale said. “The data is telling you something, but if you’re not smarter than the data, you’re not going to be able to read the tea leaves, whether it’s right, wrong or indifferent.”