The National Cybersecurity Strategy sounds familiar because it is, U.S. CISO says
A lot of people have been telling Federal CISO Grant Schneider that the recently released National Cybersecurity Strategy sounds a little familiar.
And Schneider agrees with them, he said Thursday at DC CyberTalks — it sounds familiar because it is.
That’s “true partially because cybersecurity is about doing the basics,” he said during his opening keynote. “It sounds really sexy … however at the end of the day, it’s about doing a lot of patching, a lot of basic grunt work, and doing it well day in and day out.”
Schneider explained how the “vast majority” of federal information security incidents that occur aren’t novel by any nature but, rather, they “come through well-known, previously known vulnerabilities that just haven’t been dealt with. So, truly, if you just deal with the things that are already known out there, you’re going to be in pretty good shape.”
The new strategy, the federal CISO said, is less about the response to cyberattacks and “more of what are we going to do about it? How do we get ahead of the cyber challenges we have? These challenges aren’t going away. They’re not ones where we’re done and we fix it.”
What is new in strategy, however, is the approach it takes, Schneider said. “It’s really a shift from [an approach] about process and policy to action and accountability.”
One particular area of the strategy he focused in on Thursday was the call for more shared services in federal cybersecurity.
“How are we doing things more collectively? How are we moving to cloud services?” he asked. “We need to get some agencies, candidly, out of the business of doing cybersecurity themselves.
Federal CIO Suzette Kent, who spoke after Schneider, pointed to things like bug bounties and hackathons as other ways to take some of the cybersecurity burden off agencies. “What they’re actually saying is ‘Help me find what I’m not doing. Help me improve faster. Help me protect what I’ve been challenged to protect, and in a manner that’s more aggressive and maybe more creative.’”
Kent said she and Schneider were going from CyberTalks to meet with “the CIOs and CISOs across all of the federal agencies focused on the National Cybersecurity Strategy and what we’re doing, the priorities, and how we tackle some of those things individually, but more importantly what are the things we go after together?”
Schneider also emphasized that shared services are advantageous because “we’re never going to be able to attract all the talent we need at all the agencies. We don’t want to be competing with one another. So how can we do things in a more common and shared way?”
Indeed, that talent and workforce angle was one that many speakers throughout the day keyed in on.
“You’re going to hear workforce, workforce, workforce many times today. We don’t have enough cyber professionals,” said Kent.
Cybersecurity may have been the theme of the day, but workforce appears to be the most dire need in the federal IT space.
“At the end of the day, all our cyber challenges, all our IT challenges, are people challenges,” Schneider said. “They’re not just technology. Computers don’t do things that people don’t tell them to do.”
