Discussions this morning with a Federal agency IT professional and an IT acquisition professional revealed very different views of the Federal government’s security posture.
Shared on the condition of no attribution during an AFCEA (Armed Forces Communications and Electronics Association) Bethesda event Tuesday morning, the speakers’ varying opinions showed how the balance between security and effectiveness is an issue still up for debate.
While the IT professional, working within a component at a large civilian agency, placed an emphasis on an enterprise approach to security, the acquisition professional shared a sense of frustration about security policies trying to buy risk down to zero at the expense of functionality.
The IT professional emphasized the importance of data security, saying that the agency was looking at placing high-value assets in protected enclaves, and noting as a primary concern the number of endpoints and partners that present some risk to the network.
Meanwhile, the acquisition professional discussed the need to keep user functionality top of mind. This pro noted that while CIOs and IT professionals tend to designate security as a major priority, users want to get items that function for their needs. This pro described their philosophy as providing a full picture, and letting users decide what they want to buy.
When it comes to bring-your-own-device policies, the IT professional noted the primary concern of control over the device, and said while their agency allows BYOD, it has a separate network for personal devices.
On the topic of cloud, the IT pro described the biggest hurdle to cybersecurity as governance. While users may think that cloud is secure out of the box, the IT office has to make sure it takes responsibility for its share of security in the cloud. The IT pro said the agency is partnering with components to spread awareness, and has created a test environment for cloud-based tools.
The acquisition professional noted the aim to make it clear to customers what products do and do not comply with FedRAMP, but to not make specific recommendations. The acquisition pro also warned against believing that buzzwords will completely solve the security problem, but stressed the need for a balance.
The IT professional said the agency is looking to use emerging technology to monitor user behavior to help augment the data-sharing agreements currently in place. The IT pro also praised the Department of Homeland Security’s Continuous Diagnostics and Mitigation (CDM) program, and expressed desire to improve agency infrastructure to facilitate a big data platform to help with monitoring user behavior and network anomalies. The IT pro also described the importance of a remediation plan that doesn’t immediately shut users down, recalling an incident where an agency user was flagged for visiting Russian websites. A subsequent review found legitimate business reasons for the traffic.
The acquisition professional was skeptical of any solution that promises to solve a security problem entirely, including emerging technologies like artificial intelligence. The acquisition pro said government needs to serve all citizens, citing the example of phone operating systems that are secure but don’t allow for blind users’ unique needs. The pro pointed to the 2015 Office of Personnel Management data breach as one of the main catalysts for the security push, but cautioned against the pendulum swinging too far to the security side, and reiterated that while government may chase 100 percent security, it will never get there.