"The Cybersecurity industry is fundamentally broken... and the problem is not technology, but mindset." These recent remarks by RSA President Amit Yoran have been echoed around the country and in the halls of government in the wake of serious breaches to the Federal government. From last year's OPM breach, to last week's breaches impacting DHS and FBI employees - there has been concern that the mindset protecting our government's IT systems needed a refresh.
That's why RSA applauds the President's Cybersecurity National Action Plan (CNAP) issued this morning and will participate in many regards, but will also watch a couple of things to see if clarity really is brought to the federal government's efforts. First, it will be interesting to see how the role of the federal CISO pans out. What real authority, accountability and responsibility will this new position entail that couldn't have been executed by the President's Special Assistant and Cybersecurity Coordinator? Second, how does the role of DHS change explicitly or implicitly?
This renewed approach to securing our government from our adversaries seeks to tackle the mindset that has limited cybersecurity effectiveness to-date. RSA has publicly endorsed one of the signature components of the President's plan: driving widespread adoption of multi-factor authentication for email and other critical applications and systems. I'm proud of RSA's efforts to raise awareness on this important issue. Multifactor authentication - even going beyond the government's CAC/PIV infrastructure - is a vital step to delivering increased security. Organizations such as the National Cyber Security Alliance and many other organizations have worked hard to keep this issue on the forefront of our IT security consciousness.
Other components of today's announcement are also very important to tackle, including:
- Increased funding for cybersecurity.
- A broad plan to modernize the government's IT defenses.
- Creation of a Federal CISO (empowered to cut through silos across civilian government, DOD, and the Intelligence community).
- Activity promoting adoption of the NIST Cybersecurity framework, especially to the critical infrastructure community.
- Efforts to enhance the quantity and capability of the Federal cyber workforce.
One additional aspect of today's announcement is the launch of a Bipartisan Commission - with input from the private sector - that will focus on developing solutions to our most significant cyber challenges. RSA looks forward to supporting the work of this Commission. As the President noted in his OpEd in The Wall Street Journal, "we still don't have in place all the tools we need, including ones many businesses rely on every day." It's imperative that funding and momentum focus on the capabilities that matter most in today's advanced threat world. In broad terms, our vision to secure the Federal government consists of three pillars:
- Complete, real-time, visibility into threats across our critical infrastructure at the Federal CISO level and at the agency and program level.
- Deployment of new identity assurance and access governance technologies that are built natively for the cloud and mobile era.
- A mature enterprise risk management approach to identifying and prioritizing efforts to mitigate risk.
As we observe National Safer Internet Day today, we must resist the urge to keep "sailing on the same maps even though the cyber terrain has changed."
Today's announcement by the president and previous efforts by our legislative branch show that our government and elected officials in congress are taking a renewed focus on "operationalizing cybersecurity." Each one of us in the IT security industry has a role in this mission. I know it will be a key topic at this year's RSA Conference - and it is certainly a 'contest' we can't afford to lose.