IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

As Cyber Money Comes in, Don't Miss the Forest for the Trees

There's momentum — and funding — behind improving state and local government cybersecurity like never before. But as leaders ponder how to use it, they should remember that security is not about the latest slick tool.

A,Muddy,Path,Winds,Its,Way,Through,The,Trees,Into
Shutterstock/Three Sixty Images
The sky is darkening with swollen money-clouds eager to rain down on the state and local governments from Congress.

When the deluge comes, public officials will have many choices ahead of them on how to spend it. And one of the most important subjects — though not nearly recognized enough — will be cybersecurity.

Next, the vendors will come clamoring to sell a cornucopia of products to those state and local governments. Many of them could be very useful!

But we would do well to avoid what might be called “shiny object syndrome” here.

The problem is that security is not a discrete section of IT. It’s a layer that covers every nook and cranny of IT, including the decision-makers at the top, the end users, the network, the unlocked doors, the consumer app on a city-issued cellphone and the 20-year-old server — everything. Shiny objects are merely a response to these things. To improve security, leaders will need to think harder about the structure of their entire organizations.

“Investing in tools without understanding what your gaps are is probably not a good investment,” said Chris Kubic, CISO of the company Fidelis Cybersecurity. “And quite frankly, you know, most organizations have more tools than they know what to do with.”

It’s worth asking if there are ways, in this new world enthusiastic about cybersecurity, to achieve long-standing goals of an IT organization in such a way that it improves security as a byproduct.

If a legacy system constitutes a security threat, then modernizing it can both help the government function better and improve the organization’s security posture. If an application can be moved to the cloud and refactored to help support remote work, it can also take advantage of baked-in security tools it didn’t have on the ground.

PEOPLE


Then there’s the X factor: humans. How can we train, promote and shuffle government workers around so that they can work with these new systems more effectively while advancing security?

Case in point: Nevada County, Calif. At 100,000 people, Nevada County lacks the cyber resources and funding of many of the 600 or so counties in the U.S. that have higher populations. There are many, many counties and cities that share its cyber predicaments, namely: the lack of a CISO, or much of a security team for that matter.

When I asked Steve Monaghan, the county’s CIO, whether he was feeling better about the state of his organization’s cybersecurity after recent upgrades, he said yes. And then the next thing he brought up was not the county’s implementation of end-user protection, or its cyber infrastructure improvement plan, or the new cyber grants included in the bipartisan infrastructure bill — it was about a staffing change.

Not long ago, Monaghan appointed the county’s first dedicated security manager.

“I can call up 100 vendors and get a cyber expert in tomorrow to help me do [a] configuration, installation, whatever,” Monaghan said. “What I can't call up and hire is somebody to … go out and talk to my department heads about the risk of their IT systems and the security and the investments we need to do in there, and why they need to comply with the policies and procedures we put in place, and why it's going to cost a little bit extra for this next project because we have to put the security measures in place, or why it's going to limit a little functionality.”

THE LEGACY PROBLEM


We can also find wisdom in the words of Congress’ Cyberspace Solarium Commission, which wrote in its May 2020 report that, “if done well, digitization can actually serve to improve the security of service providers once responsibility for it is assumed by larger entities, like cloud service providers.”

Notice the “if.”

“If all the appropriate investments are made in processes and people, moving to a modernized technology will improve cybersecurity,” Mark Montgomery, the commission’s executive director, told me in a recent interview. “And I'm comfortable generalizing that. But I did put a big ‘if’ at the front, right?”

However, as I wrote in my last opinion piece, it’s not that technology is bad just because it’s old. There’s really one big issue that will point to places where modernization is needed to reduce security risk — vendor support.

“It comes down to, at some point the technology gets so old, the software gets so old, that it's no longer supported, so you can't keep it up to date from a security standpoint,” Kubic said. “But if … the vendor is still supporting it (and) you can keep it up to date, then conceivably you can secure that.”

Of course, it’s not always so simple. As I interviewed sources for this piece, I heard many potential stumbling blocks to modernization. William Sanders, a senior manager on Oracle’s public-sector team, pointed out that in government IT shops, assigning employees to a big modernization project often means taking them away from pressing day-to-day matters. Nevada County’s Monaghan described older applications specialized for niche business functions that are difficult to move and transform.

“When you have a specialized (commercial off-the-shelf) solution for a business unit, you're kind of stuck. They need that solution, there's no other option,” Monaghan said. “You keep trying to re-platform and keep it going, but sometimes you hit a wall where it won't work on anything (but an old server).”

To Monaghan, the big goal is not just the security of the organization, but the maturity of the organization.

“The higher the maturity of your IT shop, of how you manage it, the lower your IT risk,” he said. “So it's not just about buying the latest, greatest new endpoint protection and the latest, greatest router or firewall or whatever — you need to do those things. But … more importantly, you have to mature out your IT management system, such that you're doing the fundamentals well. Because if you're not doing the fundamentals well, it doesn't matter if you have Carbon Black, because it's going to come in anyways. If you're not dealing with change management well, if you're not doing incident management well, you're not doing patch management well, it doesn't matter if you invested all this great money on all the latest, greatest cyber products.”

THE CLOUD AND COVID-19


Another area ripe with opportunity to accomplish multiple goals at once is the cloud. While enhancing security, cloud can also enable the kind of distributed workforces the majority of governments have become much more familiar with during the pandemic — and which will certainly become a fixture from here on, in many cases.

“Digitization and cloud services provide the agility and visibility that is essential to shaping and managing effective government cybersecurity programs,” wrote James Yeager, VP of public sector at CrowdStrike, in an email. “This is especially prevalent in the hybrid and remote workplace environments brought on by the COVID-19 pandemic last year. Cloud services played a pivotal role in ensuring security teams had both the proper access and visibility to detect, investigate and remediate threats on any worker’s device — regardless of their work location.”

There’s a catch, which is that organizations moving to these new technologies must actively invest in cybersecurity as they adopt them.

“A digital business without modern and innovative security infrastructure and tools is like leaving the front door to your brand new mansion open and unlocked,” Yeager wrote.

This is the work that waits ahead. As appealing as it seems to plug a sleek new tool into the IT architecture and call it good, it won’t solve your problems. The reality is that security is just part of the game.
Ben Miller is the associate editor of data and business for Government Technology. His reporting experience includes breaking news, business, community features and technical subjects. He holds a Bachelor’s degree in journalism from the Reynolds School of Journalism at the University of Nevada, Reno, and lives in Sacramento, Calif.