People Are Federal IT’s Biggest IT Security Challenge: An Interview with SolarWinds’ VP Product Management
A couple weeks ago, SolarWinds released their newest federal IT cybersecurity survey. Among their most thought provoking conclusions:
- Federal IT’s biggest cybersecurity hazard is people
- Agency insiders are nearly as damaging as external attackers
- Budget constraints are still the single most significant obstacle in maintaining or improving IT security.
Chris LaPoint, VP Product Management, SolarWinds, was kind enough (as always) to talk with us about their findings and provide context to them.
DLT: 49% of people say continuous monitoring is paying off nicely, and 59% say they plan on measuring the ROI of their Continuous Monitoring solution. How do you put an ROI on your IT security? Is it based purely on money? What should agencies consider when determining ROI?
Chris: There are two ways of looking at ROI on security.
You can look at productivity gains by automating what was once a tedious, manual effort. For example, validating a DISA Security Technical Implementation Guide (STIG) for network configuration might take days or even months if done manually, but with network configuration management software, you could do the same validation in just a matter of minutes. This frees up time to devote to operational uptime management or other deploying other security initiatives.
Or, you can look at the ability to respond to security threats or compliance issues quicker. Of the approximate 66% of survey respondents who have implemented continuous monitoring, 46% can detect inappropriate internet access by insiders within minutes, compared with 29% of non-users. 46% can also detect rogue devices on the network within minutes, compared with only 23% of non-users. That’s a remarkable difference that brings fiscal benefits, but reputation-based ones as well.
In considering ROI, I think agencies should consider killing two birds with one stone. That is, look at combining IT ops initiatives with InfoSec initiatives so that while cybersecurity and compliance may be the budget driver, you’re also solving real operational uptime problems. This also drives IT ops and security teams to work closer together versus wasting valuable time arguing over turf.
In my conversations with federal customers, I like to call this “collect once, report to many.” For example, a network configuration management system can be used to back up network configs so that in case of an operational issue caused by an inadvertent or intentional change, you can roll back to the last known good config. The same system can be used by InfoSec to analyze network configs for DISA STIG compliance as we discussed earlier.
47% of respondents to your survey indicated that they’ve been tenured for over 15 years, 30% indicated over 20. With all the reports in the media highlighting a lack of cybersecurity experts within agencies, does this high tenured rate indicate anything?
There needs to be an evolution in how they think about cybersecurity.
It’s no longer about periodic “tasks” or “checklists” that must be performed to maintain a particular security posture or address compliance. It’s about being able to react to security threats in real time and continuous compliance.
The good news is that given that 66% of the respondents have deployed at least one continuous monitoring solution, they’re getting this conceptually, but it’s how they move forward that has broader implications. Every person that touches a keyboard is part of the cyber workforce, so there’s a lot of training, retraining, and retooling that’s required. Continuous monitoring is just the starting point.
The most significant obstacle to implementing continuous monitoring is budget. But recent budget reports indicate there’s more money set aside for cybersecurity. Is it a case of simply not enough budget or is it that agencies are putting their money in other solutions? Should they be investing in continuous monitoring?
Purse strings are opening up a bit since the sequester fallout of 2013, but that doesn’t mean that agency IT organizations have more than they know what to do with. In many cases, they’ve got to make tradeoffs and weigh cybersecurity initiatives against operational initiatives that are required to keep agency networks up and running. The challenge is that the operational use cases around keeping the defense network up for our deployed troops is inextricably linked to security.
So, how do you avoid the compromise? I think this goes back to my earlier point about looking for opportunities to combine IT ops and InfoSec initiatives and collecting once and reporting to many.
While external hacking and malware were recognized as the top cybersecurity threats, 41% of defense respondents said insider data leakage/theft was a major threat. How can they alleviate those concerns?
Training has obviously got to be a big focus, but ultimately changing human behavior is extremely difficult. You’ve got to move beyond the reactive to the proactive. For example, agencies should look at security products that allow them to block USB memory stick access, detect rogue devices, and automatically initiate active responses to security threats like shutting down ports and disabling network access.
Continuous monitoring users indicate that most practices and technologies are essential priority investments significantly more than non-users. Does this prove that continuous monitoring is helping to identify areas of weaknesses they wouldn’t know without the technology? Or does this indicate something else?
I think so, and really that’s the point of continuous monitoring. You monitor your security controls continuously and then augment and adjust as necessary to respond to changing security and compliance requirements. It’s a closed-loop process, not a one-time event.
"You don't know what you can't see." We've heard it a million times, and this survey proves its point. In today's cyber world, you must be able to see who's in your network and what's threatening it. Without at least that "lighthouse" you're floating dangerously in rough, dark seas.
Did You Know?
SolarWinds is one of this year’s GovDefenders Cybersecurity Virtual Event sponsors. Attend from your office and hear keynote addresses from:
- Aneesh Chopra, former US Chief Technology Officer
- Dr. Ron Ross, National Institute of Standards and Technology (NIST) Fellow and Federal Information Security Management Act Implementation Project Lead
- John Slye, Advisory Research Analyst, Deltek
You’ll also have the opportunity to watch training presentations from eight leading cybersecurity developers and a panel on the new NIST framework for improving critical infrastructure cybersecurity – all for free!