Cybersecurity threats are constantly changing, which means government organizations are always assessing their security profiles and enhancing security protections. But the past year has added several twists.
First, the COVID-19 crisis compelled a quick pivot to working from home, which in turn led cyber criminals to target remote workers. Second, a new administration is driving significant changes in agency budgets and spending priorities.
The Complete Guide to Insider Risk
Meanwhile, cybersecurity decision makers still have to comply with strict regulations around procurement, cloud computing and data protections.
To make sense of these issues and gain insights into developing trends, I caught up with Brian O’Donnell, vice president of sales at Carahsoft. Carahsoft is a Forcepoint partner and trusted provider of government solutions. Here’s a condensed version of our conversation:
Q: The past 12 months have involved incredible change. Let’s start with the abrupt shift to remote work. What has been the most significant fallout?
A: With the overnight shift to stand up remote environments in March of last year, we had the opportunity to work with a number of our government and education customers to help them ensure the continuity of operations. Our government customers had to move to full-time telework, and our education customers had to get e-learning up and running. It was amazing how quickly our customers were able to make these transitions.
For all these organizations, security was top of mind. For example, insider threats gained new currency, as you suddenly had a large number of employees working remotely. In some cases, they might be trying to use their own devices to access networks, which allowed cyber attackers to begin targeting these workers with social-engineering campaigns (i.e. phishing). These employees could potentially be the weakest link in the chain.
Q: “Cyber-resilience” is on everyone’s mind. The goal is to improve how you prepare for, respond to and recover from cyber attacks. Is that a need your customers recognize, particularly in this challenging environment?
A: Whether or not customers use that term, “cyber-resilience” is at the center of every conversation we’re part of. Because as we all know, it’s no longer a matter of if there will be a security incident, but when.
We spend a lot of time educating our customers to help them prepare for an incident before it happens, as well as how to respond to it after the fact. A lot of that focuses on getting the most out of the security tools they’ve already invested in. Are you taking advantage of all the existing features and functions? Are you truly keeping up with patches? Good cyber hygiene can go a long way in protecting your organization.
That’s one reason it pays to work with an experienced provider. This might be the first time your organization is experiencing a security situation, but Carahsoft, together with our reseller partners, have a lot of lessons learned and best practices we can share based on our experience in supporting other government and education customers.
Q: The new administration has announced a lot of new spending. When it comes to cybersecurity, what type of ROI do you think will be required?
A: The SolarWinds hack really opened a lot of eyes, and I think the administration wants to take a more comprehensive approach to cybersecurity. They announced a $650 million “down payment” that will probably lead to a couple of billion dollars in additional funding. As an example, we’re seeing new policy introduced around supply chain security.
In terms of ROI, any cybersecurity project will have to enable cost-effective yet secure access to mission-critical data. You need to protect the assets that are most important to you, including both data and people.
So, you start there and work backward. How do you know what assets you have? How do you know whether they’re protected? Are you protecting your endpoints? Are you providing adequate user training – for example, around phishing attacks?
A lot of that begins with asset visibility and management. Studies show organizations think they’re protecting everything, and then they do asset discovery and find they’re actually protecting only a small portion of what they own.
Q: Do most of your government customers have a robust cyber strategy? Or are they just throwing budget at the problem and hoping it works?
A: Many are at least using the NIST Cybersecurity Framework or the Mitre ATT&CK Framework. Others are much further along in their cybersecurity maturity. The frameworks are good reference points, but they won’t solve all your cybersecurity problems. You need a strategy that goes beyond just a framework.
At the same time, organizations are becoming more focused on the outcomes they want to achieve around cybersecurity. It’s not just about buying more security tools, because more tools won’t necessarily make you more secure. You need effective strategy, implementation and education.
Q: When it comes to the security controls of FedRAMP, are you seeing challenges in moving to the cloud? How should agencies approach compliance with these regulations?
A: At this point, we like to say that FedRAMP is table stakes. Some organizations are still using non-FedRAMP solutions, but the federal government is cracking down on that, and we’re now seeing the emergence of StateRAMP certifications for our state and local customers. This is a trend that isn’t going away.
The COVID-19 pandemic resulted in the rapid implementation of cloud-based services by our government customers. I’ve heard people say that we’ve seen 10 years of digital transformation in the last 12 months, which is probably accurate as it relates to the government’s shift to cloud. Together with our reseller partners, we were able to work with our customers to ensure that their move to the cloud was done right as it relates to security and compliance.
Q: The SolarWinds hack demonstrated that both agencies and businesses remain at risk of data breaches. Have you identified best practices that can help?
A: The SolarWinds hack demonstrated that we all remain at risk of data breaches. This was an incredibly sophisticated supply chain security attack based on the way it was embedded into the software itself.
In terms of best practices, a couple come to mind. We’ve heard customers talk about “Zero Trust” for a while now, but this has really given customers the opportunity to look at what that means.
I like how Forcepoint takes a “human-centric” approach to cybersecurity, I think that’s crucial. Too many organizations have a one-dimensional mindset that emphasizes technology. Meanwhile, security issues such as insider threats persist and even grow.
Insider threats often involve unintentional breaches so education becomes important. A lot of what we do is implementing tools and controls that help users understand good cyber hygiene. And because we’ve worked with a lot of organizations on this, we’ve seen what really works.
We’ve also developed best practices for response and remediation. We work with resellers and their consultants to do triage, understand what went wrong and quickly respond. You want to minimize the damage. But there’s always the opportunity to learn lessons to achieve stronger security going forward.