Management and program silos within agencies that so often stymie efforts to integrate information technology and security practices are also hindering efforts to institute smarter risk management strategies at agencies, according to senior government security officials.
“Risk is still being managed at most agencies in a stovepipe manner,” said Department of Energy Chief Information Officer Bob Brese (pictured at left) during a Government Technology Research Alliance conference on government security trends on Monday.
Agencies, like most organizations, make a concerted effort to assess and plan for a variety of risks that could threaten their operations. When it comes to planning for cybersecurity risks, however, a significant amount of risk management work continues to remain in isolation within agencies, Brese said.
Brese openly raised the question, “How much are we doing risk management in an integrated approach?” He said the answer is not nearly enough.
The Department of Energy “created a risk management program, primarily for the derivation of requirements.” DOE components look at whether international standards are sufficient for their respective operations and if not, develop their own standards.
“But we still don’t integrate them,” he said, adding that DOE, as is the case at most agencies, still doesn’t have an integrated, corporate approach to risk management, even though such practices would significantly enhance parallel efforts develop integrated cyber and physical security practices.
The need for risk management integration is becoming an increasingly important issue for federal information security executives as agencies shift their security focus from a compliance approach, which is no longer viewed as being effective, to one that relies increasingly on broader risk management practices and continuous awareness.
Part of the challenge is the need to retrain chief information security officers “who’ve been trained in the same swim lanes for the past 20 years…around the risk management model,” and to work more directly with the business side of agencies, said Keith Trippie executive director for the Department of Homeland Security’s Enterprise Systems Development Office (pictured at right above).
Trippie praised the evolution of FedRAMP as a model for assessing risks in an increasingly commoditized IT world. The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.
As IT and IT security become increasingly standardized and commoditized, CISOs can devote more time working directly with senior agency business and program managers focusing on broader security risks, Trippie said.
Cheri Caddy, a senior advisor within the Information Sharing Environment program office, at the Director of National Intelligence office, concurred that “the continuing stovepipe mentality in an interconnected world,” is making it harder “to integrate security to the level we need to.” ISE together with the General Services Administration, has been trying to work more closely with industry to establish a set of interoperability standards as one way to address some of the acquisitions that arise from stovepiped operations.
Department of Agriculture Deputy CIO Charles McClam who also spoke at the event, added that efforts to improve information security must also focus on the lifecycle of data, from the time of inception, to how it will be used and processed, and “understand the security that needs to be around that data.”
McClam (pictured at center above) also made the case that industry needs to play a greater role in delivering mobile devices that can manage data more securely, rather than putting so much of the burden on agencies and organizations to do such extensive configuration work.