Our latest webcast featured Core’s Eric Cowperthwaite, VP, Advanced Security & Strategy and special guest Grayson Walters, ISO for the VA Department of Taxation. They discussed several of the lingering security threats that still plague the public sector, such as access to targets, password theft, network boundaries, policy control, etc. and ways to help mitigate these threats.
Here are a few questions they received at the end of the webcast.
Q: Would you recommend an analysis of environment to determine if one has already been breached prior to looking for vulnerabilities and exploiting those vulnerabilities?
A: Absolutely, yes. As we’ve seen, organizations are breached months, sometimes years before discovering. The majority of the breached organizations are finding out they have been breached from outsiders like law enforcement, credit card companies and Brian Krebs! Spending a relatively small amount of money to assess your organization’s current security posture and whether it has been breached is very worthwhile. If only to know you are breached before anyone else does in order to manage the fall out.
Q: For those smaller shops with people that have basically inherited a security function because we know something about a server, how do we begin to obtain the skills that are needed to tackle this issue?
A: State and local government organizations have access to training opportunities that are low to no cost and they should absolutely take advantage of these opportunities. Finding money for a training budget is difficult in the first place, so taking advantage of these cost-effective training opportunities for your people is important. Never forget that your people are your most valuable assets, invest in them.
Q: What is a good strategy to help ensure that your employees comply with security protocols?
A: In order to have a successful security compliance strategy, you have to implement protocols that fit your organization and its culture. Culture shift is a big deal. A strategy around change management is important. Of course you have to have the ISO and his or her team on board, but a lot of it is up to the business leadership. A large part of it is that information security professionals can pigeonhole themselves into a “no mentality,” but we’re here to help the business do the work they need to do, safely. When I hear a security person shut down a user with a simple “no,” it isn’t helping anyone. What I like to hear is “here is a way you I think you can do that without exposing our data” or whatever the specific case may be. If you’re going to say “no” then you better have a good solution for them to do instead because they have to get their work done. If you just say “no”, they’re going to just do it anyway and not tell you about it, right?
Q: My team is handling as much work as it can possibly handle, and you’re telling me that there’s more work that has to be done, and I’m not going to get any more money, because every time I ask for additional budget I get denied. What should I do?
A: This is, unfortunately, a problem we all face. Some security budgets may be loosening industry-wide, but in the public sector we’re not seeing this yet. You most likely won’t get more money-that’s just reality, especially in state and local government, but a lot of private sector folks too. One of the key things is to refocus your budget on areas where you can apply strengths to this “new norm” and focus a little less on the past. Restructure your budget to take into account new adversary skills. Instead of buying the most expensive firewall, buy one that is adequate, and apply savings to acquiring a person, resource, skill, or third-party product that will extend your capabilities. In the public sector, there are a lot of resources for training that are free or low cost. Finding money for a training budget is difficult in the first place, so taking advantage of these cost-effective training opportunities for your people is important. Never forget that your people are your most valuable assets, invest in them.
Thank you to our special guest Grayson! Grayson has over twenty years of IT experience, primarily related to Information Security. His past positions include serving as the ISO for the VA State Corporation Commission and leading the security-consulting branch of a VA-based IT firm. Prior to that, he was the Lead Network Architect for Standing Joint Force Headquarters–Homeland Security and previously served as a non-commissioned officer in the U.S. Navy.