Cybersecurity threats continue to dominate headlines with the risks seeming to mount daily. The consequences of a breach have been prevalent in headlines. Less prevalent is the discussion about what government agencies can do to minimize those threats at every level of the organization.
To gauge federal government IT decision makers’ awareness and attitudes about a range of cybersecurity topics, the Fort Meade Alliance commissioned a poll with government market research firm Market Connections, Inc. The online survey of 200 respondents from federal civilian and defense/military agencies looked at issues including insider threat prevention, investment priorities and cybersecurity awareness training.
The poll found that training to prevent cybersecurity threats is an investment priority for more than 60 percent of federal civilian and defense/military organizations. While employee training is among the top investment priorities for prevention of insider threats, it is a significantly higher investment priority for defense agencies, compared with their civilian counterparts.
FedPulse had the opportunity to speak with Deon Viergutz, president of the Fort Meade Alliance and director of cyber operations for Lockheed Martin Information Systems and Global Solutions about what the Alliance learned from the research and what government agencies can do now to minimize cyber threats.
FedPulse: Tell us about the Fort Meade Alliance and why this study was important to you.
Viergutz: The Fort Meade Alliance is a 501(c) 4 non-profit, independent community membership organization. It was created to promote and support Fort George G. Meade, its 117 government agencies and organizations and surrounding areas as an economic asset. Our mission is to promote the well-being of the region with programs that support FGGM priorities, and serve as a resource to help facilitate connections that make a difference. Many of our members are directly involved in protecting information technology assets and our government’s most sensitive information and mission-critical systems. Cybersecurity is a critical issue for them.
We believe, and the survey supported this, that awareness training can help solve many of the cybersecurity challenges agencies face. This research was important to help us better understand government organizations’ needs and determine how best to serve our members through future trainings and programs.
Two years ago, Fort Meade Alliance released a white paper—Cyber Mindset: Transforming education and expanding the workforce for America’s cybersecurity challenge and Maryland’s newest industry—that assessed the importance of making sure cybersecurity curricula in academia were dynamic. This study reinforced the need for education and training to evolve to meet the ever-growing demand for qualified workers in the field.
FedPulse: Based on your experience, were there any surprises in the study results?
Viergutz: The top five cyber threats—misuse, phishing, malware, spam, and data leakage—remain consistent, although the priority may change at any given time. While not surprising, it was interesting to see misuse listed as the top threat (52%). Misuse, I believe, goes beyond cyber espionage to touch many aspects of security. The notion of misuse gets to the “human element.” People are not perfect—they can cause cybersecurity breaches simply through not having basic information. Often “misuse” is not intentional or malicious, but it is preventable.
I think misuse coming up as the top threat is a sign that there is increasing awareness of the different, and complex, aspects of cybersecurity—including the human element.
FedPulse: What is the importance of the “human element” in cybersecurity?
Viergutz: These days everyone is connected—via cloud services, mobile devices, networks … the list goes on. We’ve got people working on both unclassified and classified networks. The opportunity for misuse or inadvertent problems increases the more technology advances. What this means is agencies and contractors have a whole host of issues to consider, starting with security and policy procedures, and including how they address cybersecurity when developing apps or hardware. They need to know the systems checks and balances.
Ensuring that all users are trained in these policies and procedures, and that they understand the consequences of their actions. This needs to be a fundamental organizational priority.
FedPulse: In what areas does government need to build and improve awareness?
Viergutz: Government and industry can benefit from continuing to build awareness in all areas of cybersecurity—and continue to make this a priority over time. The training needs are different depending on user roles and the missions or services, so there needs to be different levels of training and certifications. At a minimum, there needs to be some form of “Cyber 101” training—covering the absolute basics such as the kind of incidents to report or why not to use key fobs [thumb drives] in secure computers, etcetera.
I believe that building a cultural commitment to cyber awareness and security is the best defense against any threat. For example, for the last five years Lockheed Martin has been training their entire workforce with an enterprise-wide view of what being cyber secure means through its I Campaign®. This comprehensive approach improves employee behavior, and we’ve seen a 50 percent improvement in employee reporting behavior to the LM-CIRT as it relates to suspicious emails. This kind of approach would work well in any organization.
FedPulse: The study showed that training is a lower investment priority for civilian agencies than defense. Do civilian agencies need to be as diligent about cybersecurity as defense agencies?
Viergutz: Yes, defense customers are spending more on cybersecurity than civilian customers. Part of this has to do with the services the agency provides. Defense and intelligence agencies have more of a national and global security mission. Civilian agencies like the IRS that manage vast amounts of financial data also have a hyper awareness of security. In those instances, it’s clear what would happen with a breach. The public is aware and concerned about their privacy and the impact of an inadvertent release of their information, and those agencies have put the controls and monitoring in place to address the threat.
However, all agencies need to be diligent. The consequences of a breach may not be as severe in a smaller agency, but they could still impact the mission or consumer privacy.
“All agencies need to be diligent. The consequences of a breach may not be as severe in a smaller agency, but they could still impact the mission.”
FedPulse: What type of training is needed?
Viergutz: Every agency needs a cyber strategy—a conscious approach to how to address cybersecurity. In some smaller agencies, general awareness and fundamentals training may be sufficient. From there, the type of training changes depending on the mission of the agency and the role of the individual.
In Defense and Intelligence agencies, the implications of cybersecurity are more critical—it has a significant impact on mission. For civilian agencies, it depends on the service to the citizen. The IRS or HHS for example have access to different information than the Bureau of Land Management. They will have different training needs and different assets to protect
FedPulse: Where does government need to look for this training—is it a capability they should be developing in-house, or are there well-established external resources they should lean on?
Viergutz: Again, this depends on the agency and the mission. Defense and Intelligence agencies have in-house training uniquely developed for their missions. But not every agency can afford to build an internal security intelligence center and cyber security program. Sometimes, they can get support from an agency that does have one, or they can outsource their cyber program to industry.
There are many places to look for training. Within the government, there are some unique training agencies can access. For example, the Department of Homeland Security offers cyber training and compliance programs that are unique to the national security space.
Agencies can also look to their trusted partners. A number of larger companies have developed internal cyber training that they can provide to their customers. For example, Lockheed Martin has a cyber-immersion training program for analysts and an advanced persistent threat capability that they will provide to customers.
FedPulse: Do you have anything else to add?
Viergutz: Cybersecurity training is not a one-shot endeavor nor is training alone sufficient. It is constantly changing and the threats are evolving—we need to take every opportunity available to build awareness and reinforce learnings. A comprehensive cyber security program and subsequent investment must be as fundamental to every company and government agency as a human resource or supply chain system.
To that end, The Fort Meade Alliance is planning an education and workforce forum on February 24, 2015 to have an in depth discussion on cyber security and the workforce needs of our region across a broad set of sectors. (Event details will be available in January.)
We would like to thank Deon for taking the time to speak with FedPulse. Learn more about this study.