How actively cybersecurity leaders seek out new processes, people and partnerships can determine the failure or success of a cybersecurity agenda over the next five years. This was the theme of a frank discussion among three top-level government security leaders at RSA.
It’s not surprising that cybersecurity was on the minds of attendees at the 2016 RSA Conference in San Francisco. Over 40,000 people gathered to talk about all aspects of security, from keeping intruders out to disk destruction to how to create a strategy for security that will touch all aspects of an organization.
For the panel of government experts at the session “A Roundtable with Three Cyber-Wisemen”, the conversation focused on the challenges faced by traditionally slow organizations like federal governments trying to keep pace with the speed of technological developments and the agility of hackers.
The view from three wise men, looking forward
Dr. Tal Steinherz, CTO of the Israel National Cyber Bureau, kicked the discussion off by addressing the state of cybersecurity today in Israel. According to Steinherz, the focus for Israel over the next year will be focused on implementing its cybersecurity strategy. Part of this effort is determining where responsibility for cybersecurity should live within the government. In Israel, responsibility for critical infrastructure falls to the secret services, but it isn’t clear if this authority should extend to the cyber realm. One thing though is clear, says Steinherz, and that is that as a democracy, respect for civil liberties must extend to cybersecurity strategy.
The U.S. focus over the next 3-5 years needs to be on getting ahead of threat trends, says Michael Daniel, Special Assistant to the President and Cybersecurity Coordinator at The White House. To date, the U.S. government has focused on maintaining and expanding access to an open, interoperable internet, and broadly has been able to leverage technology advances for good. Looking to the future, the U.S. now needs to get ahead of the underlying security concerns that come with these technologies. This includes concentrating cybersecurity responsibility within a few government agencies, versus the more traditional federal model where each agency operates with its own IT organization.
On the other hand, the U.K. is four years into a 5-year cybersecurity strategy, which allows Alex Dewdney, Director Cyber Security for the Communications Electronics Security Group (CESG) an opportunity to assess their current strategy while looking forward. Speaking frankly, Dewdney told the audience, the existing strategy “didn’t work.” 90% of UK-based companies have suffered some sort of data breach, a fact that Dewdney points to as an indicator that there is much more work to be done. It isn’t that the past four years were for naught, he explains. There is a much better understanding of existing threats, as well as significant advances in partnerships and information sharing between the private and public sectors. But ultimately, Dewdney sees that governments need to be more active, interventionist and agile.
Both Daniel and Steinherz agree with Dewdney’s assessment that their governments are better off today than five years ago, but that there is much more work to do. According to Daniel, things have improved, but threats continue to evolve faster than federal organizations. Steinherz reinforces this, pointing out that with the speed of technological advancement, in five years we may all live in a much different world. The private sector seems to be more adept at responding to the pace of change, and Daniel points to a growing trend in private companies where the security conversations are moving out of the server rooms and into the board rooms.
Things have improved but threats continue to evolve faster than federal organizations says Michael Daniel, Special Assistant to the President & Cybersecurity Coordinator, The White House
People and partnerships are critical for future success
So how do organizations of the complexity of federal governments begin to tackle this? Daniels says that in the U.S., we haven’t focused on the underlying root cause of the problem. He indicates that one issue is simply legacy – it’s easier to get money to maintain existing systems versus replacement. As a result, technology stays in action much longer than it should, making it increasingly more difficult to defend.
It’s not just a question of budgets, Dewdney points out. In the U.K., the issue is that they’ll always run out of people before money, and that a skills shortage is the critical issue for governments struggling with today’s new security challenges. He says that it’s not that there aren’t people with the needed skills – it’s more that those people aren’t interested in working for the government. In many instances, technology leadership in the public sector doesn’t reflect what top talent at technology companies look for, making them unlikely to take the jump. Daniel adds that people will come to the government for short periods of time because of the opportunity to work on projects that they wouldn’t find elsewhere, but that the days of expecting those individuals to stay for 30 years is over. As a result, the government and private sector need to become more adept at moving people back and forth between the two, making federal jobs more attractive for those willing to come over for specific projects or defined time periods.
Even with the right people in place, governments still can’t design and implement their cybersecurity strategies in a vacuum.
Israel has taken a different approach to tackling the skills shortage. Steinherz sees human capital has the biggest bottleneck in cybersecurity efforts and points out that governments need to not just be innovative in the technology, but also how they hire. One of the Israeli government’s approaches has been to identify potential talent in middle school and provide those students additional classes in not just programming, but also ethics. This builds a bigger pool of potential candidates down the road with both the hard and soft skills that the industry needs. Dewdney adds that academic partnerships are also seen as a way of tackling the people problem within the U.K., such as government sponsorship of university programs targeted at future security experts.
Even with the right people in place, governments still can’t design and implement their cybersecurity strategies in a vacuum. Daniel points out that he has yet to see a cybersecurity issue that was entirely domestic. Governments need to put mechanisms in place that make it easy for federal agencies to cooperate and collaborate, and Steinherz adds that this must also extend to private companies that have actionable information to share. At the core, the panel agrees that public and private partnership are key to tackling modern security issues, and this means partnering on knowledge, workers, and technology.
Read these related articles:
- Struggle to Retain Top Cybersecurity Talent Crosses Borders by Tony Kontzer
- Your Tax Dollars At Work — Government Agencies Move To Cloud by Dave Packer
Interested in learning more about Druva, and how our award-winning solutions can be part of a modern data governance strategy? Download this Gartner report to learn how enterprise endpoint backup is solving for much more than simply backup to tackle OS migrations, endpoint data loss prevention, cloud apps risk mitigation and more.