Security has long been an afterthought in cyberspace. From the first computers through the development of the Internet to today’s cloud-based mobile applications, the first consideration has always been functionality. Security comes later, usually after some embarrassing demonstration of its need.
With the attention being given to recent breaches (the Office of Management and Budget, Sony, the Democratic National Committee, to name just a few) you would think that this priority would be shifting. But apparently that is not the case. When the Government Accountability Office asked federal agency CISOs about the biggest challenges to their authority, competing priorities between operations and security was number one. Eighteen out of 24 CISOs rated this as large or moderate problem.
There is no mystery about this. Organizations make large investments in IT to become more efficient and productive; individuals adopt it for convenience and for fun. Security, on the other hand, seems to be about saying no; telling us what we can’t do and making it more difficult to use our tools and toys. So there has always been a trade-off between security and functionality. The faster a technology is and the easier it is to use, the less secure it is likely to be. Make it more secure and it becomes less user friendly.
Security also takes time, and that often comes out of the up-time of IT systems. Since the performance of the IT staff is based on up-time, it is no wonder that they see cybersecurity as the enemy.
Under the Federal Information Security Modernization Act of 2014, cybersecurity is the responsibility of the Chief Information Officer, who delegates it to a Chief Information Security Officer. But these CISOs are finding it hard to do their jobs. Cybersecurity is seen as a drain on limited resources and something that stands in the way of progress because it can’t keep up with rapid advances in technology. Organizations’ priorities are maintaining existing operations rather than correcting weakness and vulnerabilities. Front-line security personnel often report to operational management rather than to the CISO. As a result, the staffs are driven by operational imperatives rather than the security priorities.
This is unlikely to change as long as security is an afterthought and cybersecurity is handled by a separate organization within the agency. Cybersecurity ultimately is the responsibility of the agency or department head, who also is ultimately responsible for everything else. But in the real world the CEO cannot do everything, and responsibility is delegated. Responsibility for security and operations are delegated to separate shops. NIST guidelines call for a risk-management approach to cybersecurity, taking security risks into account in all operational decisions. But decisions are made separately, and security continues to be seen as an impediment to accomplishing the agency’s mission.
What is needed is to bring together security and operations somewhere in the guts of the organization rather than at the top. Maybe if the CISO was to be replaced with a Chief Productivity Officer who is responsible not only for accomplishing the mission but doing it securely, security would be considered alongside functionality and would be seen as less of an impediment.
A CPO is not likely to be a panacea. But the idea of a separate CISO doesn’t seem to be working as was hoped. Something should be tried to more effectively merge operations and security within government agencies.