White House $19B Cyber-Security Plan Has Little Chance of Success
Those old, slow systems are also incompatible with other systems owned by the government which means that no single fix will work with anyone else or any other federal agency. No single solution can be even used throughout a single agency and even custom development of security solutions is difficult when it’s possible at all. And that's just the beginning. While naming a new federal CISO is a step in the right direction, it's just a first step. Each of the departments in the Executive Branch has a different mandate, incompatible systems, different histories of implementation and different security requirements.Even getting a basic inventory of existing IT hardware and software in all of the departments and agencies is a multi-year undertaking. Not only do these organizations not know what they currently have in terms of infrastructure, they don't have a way to find out. Even getting the tools to conduct an inventory will require a multi-year procurement action. But supposed that somehow the initial challenges of implementing a change in the government's IT systems were to become possible, then what? Initially, nothing would happen. The new federal CISO is being appointed by a President with less than a year left to serve. Then, assuming the next president decides to have a CISO, a new one will be appointed. That person will have to start all over, and the process will then begin again. That $19 billion will have already been spent, perhaps with little to show for it in terms of comprehensive security improvements. "It takes a lot more than just money to get started," said Ray Rothrock, CEO of RedSeal, a security company that's active in public policy. "I don't think you can just sit down with a big chunk of money. It needs to be built over time." Rothrock pointed out that in some cases, procurement issues can be avoided. "There's a lot of stuff that can be done without procurement of a new system," he said. Included are studying the existing architecture and defining what an appropriate architecture should be. He said that it's also important to define metrics so that it's possible to know how the existing systems work and how well they accomplish that. Part of the strategy is also knowing what to define as your desired outcome. "I hope that the business strategy is meant to achieve three things," said Cylance CISO Malcolm Harkins. "Lowering of the risk, lowering the total cost of controls, lowering the control friction that can occur." He said that the control friction means making sure that security measures don't make it harder for employees to do their work. But Harkins also noted that it's critical for the new CISO to pay attention to the big picture. "You have to manage the outcome, not the risk," he said.
And that's just one of the three branches of the federal government. While the CISO will likely hold dominion over the other security managers, this is not a situation in which one person can simply issue a mandate and expect it to happen.