Cybersecurity is on the top of many public and private sector IT agendas these days. But while organizations focus on the software and hardware to police networks, they often don’t consider the standards necessary to have all those defenses working together, or the possible cost savings that can be achieved through improved cybersecurity.
Standards and guidelines are often overlooked in the cybersecurity space in favor of cost savings, said Donna Dodson, deputy cybersecurity advisor at the National Institute of Standards and Technology.
Speaking at a recent federal IT event, she noted that 10 to 15 years ago organizations had more control over their enterprise, but new technologies such as mobile devices are forcing them to reconsider how they manage their workplaces. Another challenge is that organizations are being asked to simultaneously provide more openness and security.
“Standards and guidelines have a key role-more than ever-in that space,” Dodson said at the Cost of Government with IT Summit last week in Washington D.C.
Federal organizations cannot afford to build or manage applications and systems without standards, Dodson said. This is because standards provide a platform that organizations can build on and tailor to meet their needs, she said. Using a risk management framework also provides organizations with a critical process to plan, input and manage security throughout the lifecycle of a system.
“If you don’t understand what it [the risk] is and you start buying systems, you can start to over or under- buy systems,” she said.
NIST is also focusing on security automation, Dodson said. Besides meeting the fundamental security needs of government, the institute is also working with the private sector to help develop new products because the government cannot afford to develop security applications on its own, she said. Security automation allows both federal and commercial organizations to build in standards-approved continuous security monitoring products. Additionally, standards support lifecycle costs of systems because organizations do not have to use personnel to constantly monitor their networks, she said.
Managing costs through improved cybersecurity is also on the minds of other federal agencies. Speaking at the same event, Mark Schwartz, chief information officer for the U.S. Customs and Immigration Service, noted that the Department of Homeland Security has launched a number of large IT modernization programs. These efforts involve many participants and have many components and cost considerations, which always have the potential to lead to problems such as going over budget. The DHS is trying to make these efforts more agile and structured.
Schwartz noted that the largest cost in these programs is finessing the requirements before any product is developed. The department is now working on a structure to secure these costs, he said.
Agile methodologies change how developers think about IT programs, Schwartz said. For example, conventional methods of software development include security assessments and systems as an afterthought, which does not work, he said. Although it is still a work in progress, Schwartz noted that the new approach the DHS is pursuing begins with creating hardened security features within a system from the very beginning of the process and to test it constantly through development to maintain security.