When it comes to good government IT strategy, only collaboration will work in the long term, according to Hord...
Tipton, executive director of professional certification body (ISC)2.
But after that, governments should stop trying to reinvent the wheel when it comes to information security, he told Computer Weekly at the second annual (ISC)2 Security Congress in Philadelphia.
Instead of partnering with security organisations and building on existing knowledge, governments tend to think they have got to start from scratch. This was the position of the US government three years ago, but it now believes in partnerships, said Tipton.
Just like security professionals, he said, governments have got to realise that they cannot do their job alone. At the very least they have to work with their use community.
“I challenge anyone to find a breach that did not involve a slip up by an a user or member of the IT team, and once the door is open, that is when the real problems begin,” said Tipton.
He believes governments should partner with the coalition of security professional certification bodies that includes (ISC)2, Comptia, SANS and ISACA to tap into their collective knowledge and experience.
“We may have different measures for our certifications, but we have a common goal of sound, safe information security,” said Tipton.
Government, he said, needs to work with such organisations to ensure that, at a national level, they have the capacity to build the information security skills base they need.
This has to be built up through all levels of education because, like systems, security cannot be bolted on at the end, it has to be baked in over time, said Tipton.
The importance of security basics and education
This will help ensure that, when information security professionals go into government or private enterprise, they will have a culture of security and ensure adherence to basic security principles.
This is important, said Tipton, because research shows that 90% of data breaches use elementary attack methods, and 96% of these attacks could be prevented with simple security controls.
In terms of cyber security strategy, just getting the basics right will go a long way to reducing the number of data breaches taking place, he said.
Beyond that, Tipton said it is important for governments and businesses alike to understand their risk profile, to know what threats are likely to target them and what is going on in their networks.
“I see governments struggling with continuous monitoring; the US has only recently made continuous monitoring a mandatory part of their cyber defence strategy,” he said.
Through implementing continuous monitoring, government IT departments will be able to update their security posture on a much more regular, even monthly basis.
Another important thing for governments, said Tipton, is to get control of their data. In general, they hold and protect far too much data.
“They need to delete what they don’t use, but the problem is many are not sure what data is critical so they simply keep it all,” he said.
Governments' growing security awareness
On the positive side, Tipton said there is a growing awareness by governments that information security is a big issue, and that they cannot simply toss it over to IT departments to take care of. Instead, business and budget departments need to be involved and understand the impact of bad risk.
“This can be a difficult decision, but it is not possible to protect everything. That is why it is important to bring security and systems people together to ensure their collaboration and understanding,” he said.
Despite recent improvements, Tipton said there is still a long way to go, especially in breaking down government silos, overcoming internal conflicts and eliminating influence from third parties in the private sector that push back against proposed cyber defence legislation.
Given the budget constraints on public and private organisations, Tipton believed a good way of achieving better information security at the lowest cost is to look for a good model that works.
Information security professionals must then be honest with the business about why they need to invest, but should express it in a way the business understands.
Getting budget allocated is much easier when information security professionals can show that improving security will have a positive return on investment.
As a former US federal government CIO, Tipton said he was once able to save $100m by consolidating down from 12 to five internet gateways for his department.
“The key is to find security solutions that give the best rate of return and solve security and budgetary challenges at the same time,” he said.
Software licensing is another area where this can be achieved, said Tipton, citing an example where he was able to negotiate a single licence for his department to replace 2,500 individual licences.
The deal enabled savings of $40m in the first year, but at the same time helped improve security as there was only one configuration to manage and maintain.