Federal cyber pros at Palo Alto Networks’ Federal Ignite conference weighed in today on the cost of cybersecurity and its return on investment, suggesting that government spend may not be properly configured to the risks, threats, and real assets that need to be protected.
“Because we’re not looking at total cost of ownership, we are accepting more risk, with the intent of ‘I’m going to buy a new capability, therefore it will reduce the risk,’” said Col. David Caswell, head of the Department of Computer & Cyber Sciences at the U.S. Air Force Academy. “We’re not looking at it as a whole system of equation.”
The problem of the shiny new tool in cybersecurity is well-documented. But is government focusing resources on the right problems?
“The notion that I’m challenging is the fact that we’re even addressing risk. We’re not,” said Patrick Arvidson, special assistant to the Office of the National Manager for National Security Systems at the National Security Agency.
Arvidson explained that most risk management frameworks focus on “knowing your threat” and placing that knowledge at the forefront of the risk discussion. But it isn’t happening, he said.
He advocated for the concept of a heat map, focused on “how people are attacking you” and “how you’re defending it,” which could prove especially helpful in conveying the concept of risk to non-technical senior staff.
“Think about the consequences of that discussion,” he said. “I can give you 800 pages of documentation…or I can walk into a room and say, ‘This is the threat data from my network. This is how I stopped it, and this is how I assume risk.’ That’s a simply, very powerful conversation.”
“I hate to use the term risk. I like to say it’s threat-based cybersecurity. Because you’re putting threat at the very beginning,” Arvidson said.
To Caswell’s point, perhaps the difficulty with cybersecurity is that cost doesn’t map neatly to the risk discussion.
“Like all other ROI risk investments, be it insurance or healthcare, there is a history of an actuarial statistic data set that provides an informed base for what the offset of the cost of those risk mitigations are. We don’t necessarily have that in cybersecurity,” said Matthew Scholl, chief of the Computer Security Division at the National Institute of Standards and Technology.
In those other sectors, you have a sense of what you’re getting when you pay for it. Not so with cybersecurity, Scholl suggested. “So instead, risk investment decisions are done either about emotion, significantly less information than is needed for the amount that’s being spent, or it’s done against what we can secure, which doesn’t necessarily map to what we should secure.”
All of these concerns speak toward an inappropriate allocation of resources, and the belief that buying a tool will buy down risk. That breakdown in the ROI analysis has lent itself to an overwhelming sprawl of cybersecurity tools.
“From a DoD perspective, just to give you an idea, it’s roughly 2,300 on the NIPRNet side alone. Which is unique because 90 percent of the traffic on NIPRNet is YouTube videos. As my boss likes to say, they’re just watching cat videos,” said Arvidson.
“Highly secure cat videos,” joked Scholl.
So do we really need thousands of tools? That sprawl is likely untenable from the management side of the enterprise and inefficient from the coverage perspective–there’s undoubtedly going to be a ton of overlap.
“We’ve got to stop talking about tools and start talking about capabilities. What capabilities do you need in your network to defend your stuff,” Arvidson asked.
“If I took any one of anybody’s tools, and I took it into the lab, and said, ‘How well does it do this?’ It’s going to be within 80 percent of the other tool,” he continued. “But the capability it provides is something I need in my network…So when I go back to having that conversation about, ‘Hey, as an agency, what capabilities do you think I should have, other agency?’ That’s a really good conversation to have.”
Scholl said there needs to be a better way to create an “informative decision process to ensure that the investment is being done right, and at the right price.” Asked what government programs might be working to consolidate the cybersecurity sprawl, Scholl noted “there are efforts going around to simplify” and cited the Continuous Diagnostics and Mitigation (CDM) Program as a strong contributor.
Scholl noted the difficulty in getting a cross-agency view of risk and threat due to the “diversity of toolsets” out there. CDM’s Federal dashboard is working to provide that view. As of the start of this month, all civilian CFO Act agencies are now connected to the dashboard.
“Make good informed risk decisions,” Scholl offered as advice. “Part of that is understanding your business asset, as well as what threat is trying to act upon that asset, and then what capabilities you need to protect that asset. Don’t secure what you can, because you can secure it. Secure what’s important.”