Data breaches are inevitable. As Michigan CSO Dan Lohrmann noted earlier this year, small security breaches occur in government more often than many people are aware of -- and then there are the large, widely publicized breaches, most recently in California, the Washington State Courts and last year at the South Carolina Department of Revenue.
Despite their inevitability, however, governments nationwide focus even further on cybersecurity -- and the U.S. Department of Commerce is no exception. But the difference for this federal-level agency is that it's working to assemble its own team of experts in cybersecurity, which it is has done by increasing the role-based training completion rate by threefold over the last three years.
And this federal-level training initiative will undoubtedly affect both state and local governments as well, says Rod Turk, chief information security officer and Office of Cyber Security director at the department.
The Department of Commerce IT Security Training Program, he says, is designed to meet the requirements mandated by the Federal Information Security Management Act (FISMA) -- and many of the Office of Management and Budget (OMB) and FISMA policies on IT security training are based on the National Institute of Standards and Technology (NIST) Special Publication (SP) 800 Series.
"What we refer to as the NIST 800 Series are a grouping of documents which describe the computer security policies, procedures and guidelines of the federal government of the United States," Turk said. "NIST is actually a unit within the Commerce Department. These NIST 800 Series documents are available to procure for free, and can benefit state and local governments that would like to beef up their cybersecurity protections. State and local governments can request to look at all of the Department of Commerce’s training materials."
And some states are already choosing to take the Department of Commerce up on this offer.
California, for instance, recently announced the formation of the California Cybersecurity Task Force, which brings leaders of private industry together with state officials to deal with cybercrime threats that they see rapidly increasing in threat.
Although this is the first collaboration of this kind to be sponsored by a U.S. state, many believe it's only the first in a series of measures that will address the interconnectedness of the public and private sectors that has developed through the use IT. And Turk said he sees this collaboration as a way to alleviate the "managerial rigidity" that has provided points of weakness that many computer hackers have exploited in recent years.
The training program -- which satisfies the federal requirement for annual personally identifiable information (PII) training -- covers a wide range of information, including how to properly safeguard private and sensitive information.
"The topics covered include the employee’s role in privacy, relevant privacy laws and OMB guidance, the Department of Commerce’s policy on electronic transmission of PII, and how to properly handle PII," Turk said, adding that proper handling of PII involves differentiating between sensitive and nonsensitive personally identifiable information in order to properly implement usage of secure file transfer tools. "The IT security training program is a proactive measure to prevent PII incidents. The program aims to increase employee awareness in safeguarding sensitive agency information and minimizing threats."
Turk also noted that collaboration is very important for ensuring cybersecurity in federated organizations. "Having the right people in place is just as important as having the right technology," he said, emphasizing the need for people who can communicate, write business cases and understand budgets and human resources. "Technologists are important, too, but I need a diverse mix of people in order to move security forward. We must be able to see beyond granular implementations of technology so that we can take in a fuller view of the security environment."
The cost of developing this new training program and the return on investment that will be seen by the Commerce Department are both unknown at this point. "Training content for the program is gathered and developed through multiple agency collaborations," Turk said, "so we are unable to provide a specific cost."
But the department isn't stopping with the PII training program -- it also is preparing to implement a departmentwide cybersecurity system for situational awareness that it calls Enterprise Security Operations Center (ESOC).
"We must be able to understand everything that's happening and properly share our information over the entire enterprise," Turk said. "Our goal with ESOC is to collect status feeds across the enterprise and present them as a dashboard that our CIO, Simon Skyman, can use to see which devices have secure baselines and what the patch level is. Simon and other CIOs will be able to view this data in near-real time, which will allow them to make better assessments of their security posture."