Tuesday, July 03, 2007

Tired of all the talk

I read White House council puts cybersecurity in focus this morning, and I have to say: "Enough is enough."

The Federal government needs to stop talking about cybersecurity and start doing cybersecurity. If they're just now putting cybersecurity into focus, where has it been for the past several years?

Basically, the article talks about improving communications between first responders at the Federal, state and local levels, and about providing better cybersecurity guidance. The problem is that this is all just talk and paperwork, like most of the Federal cybersecurity initiatives. Yes, communication is important, as is guidance, but do know what actually makes things more secure? People. And money. Neither of these are features commonly seen in Federal cybersecurity initiatives.

Note to all my readers in the White House: The Federal government is too big and the agencies too diverse to effectively push cybersecurity from the top down. Instead of trying to centralize the cybersecurity programs at the Executive level, focus on supporting the agencies by giving them the resources necessary to develop and maintain their own effective security programs. Stop funding them as an afterthought, and get real about how much it costs to hire and train effective security personnel. Recognize that security requires positive actions to make computing safer, not just getting the FISMA reports done on time.

When the government starts doing these things, Federal security will improve. Then you can worry about centralization. Until then, though, it's just a bunch of useless talk.


Unknown said...

Persanally I do not think the Federal Government really cares about cybersecurity. You talk about the different agencies but each agency is broken up into dozens of separate fiefdoms. Each of these duplicate efforts which costs even more money taxpayer money.

DavidJBianco said...

I disagree, in that I do think the government cares about cybersecurity. It's just that they don't seem to know how to do it, or even what security actually means.

Don't get me wrong: I recognize that there are significant challenges to be overcome here. Even at the level of individual Departments, the organizations are huge, and meaningful change is slow and painful. But even if the Departments want to change, it's pretty clear that they don't know how.

It comes down to the fact that cybersecurity is usually confused with compliance, reporting and other paperwork. All important pieces, to be sure, but they're fundamentally crippled without adequate people and resources.

rybolov said...

The government does care, it's that how do you manage a $68Billion IT budget and include security? It's hard to do, and all the naysayers for the most part have never tried to do it. There isn't any security management model that we have today that scales to that size.

I teach FISMA and C&A to contractors, vendors, and government employees and security in the government is a lot harder than you would think.

Anyway, I talk about this stuff all the time on my blog. Check it out: http://www.guerilla-ciso.com/. For the really juicy stuff, hit the FISMA topic.