While there was an apparent false start this week concerning the signing of an executive order by President Trump that among other things is expected to call for a complete review of Federal government cybersecurity, the one thing that is clear is that there will be more focus on IT security at the senior most levels of government. President Trump says he intends to hold each cabinet executive responsible for cybersecurity within their departments.
If and when such reviews get conducted, a new administration is about to discover issues most business leaders already all too familiar with. Most IT security today is built around network perimeters that have become all but indefensible; and anti-virus software on the endpoint that is no longer effective as it once was.
In addition, they’re also about to be made painfully aware of the glacial pace most government agencies move at. Like a lot of businesses have discovered in recent years, government agencies have been layering on thousands of undocumented rules for processing network traffic through a network firewall that in probability is misconfigured. Not many IT people within those agencies are likely to know why those rules were implemented in the first place. IT security inside and out of the government all too often simply winds up being an exercise in layering conflicting firewall rules on top of each other by successive waves of administrators.
In the meantime, cybercriminals actively research new ways to compromise systems. Whether it involves injecting malicious content into a database or stealing end user credentials via a spear phishing campaign, just about every IT professional inside or out of the government intuitively knows that the potential attack surfaces are too broad for them to defend alone. Knowing that and being willing to admit it, however, are all too often different things.
Far too many IT professionals still have it in their heads that they can effectively defend their IT environments. It’s not that they’re arrogant about it; it’s just they take professional pride in their skills. There’s also a natural bias against relying on external expertise that is often viewed as an existential threat to the existence of the IT staff. And yet, IT leaders would be the first to admit they don’t have the skills or the budget required to put up an effective defense. That creates a paradox where a lot of extra attention on IT security doesn’t necessarily drive any additional meaningful action.
In reality, there is no getting around the fact that IT security is getting more expensive. An effective modern IT strategy requires nothing less than major investments in everything from Big Data analytics to next-generation firewalls and new approaches to endpoint security. The only way to cost-effectively implement those technologies outside of government agencies that can’t tap into Defense budgets is to deliver these technologies as a managed service via the cloud.
Of course, reviewing IT security is not quite the same thing as committing funds to fix it. But it would be good for government officials to have a better understanding the true scope of the problem. They’re more than familiar by now with why IT security is an issue. But understanding the impact of something is not quite the same thing as knowing how to go about fixing the root cause of the problem. For a lot of government officials that part of the exercise is about to become a truly eye-popping experience.
Mike Vizard has covered IT for more than 25 years, and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet, and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb and Slashdot.Mike also blogs about emerging cloud technology for Intronis MSP Solutions by Barracuda.