In late June, I was honored to testify before the Senate Appropriations Subcommittee on Financial Services and General Government on the recent Office of Personnel Management (OPM) data breaches. My testimony focused on the broader systemic issues that must be addressed for any organization to protect its IT systems and sensitive data sets. One of my main themes is that the very best cyber security defense is the result of managing your IT infrastructure and software applications well.
During the decades of the 1970s and 1980s, organizations could build and deploy IT systems with little regard to security issues. This was not necessarily a management failure since there were very few security issues to be concerned with prior to the broad use of the Internet and the rise of the ubiquitous data networks. However, beginning in the 1990s and up to the present, many private sector corporations and government agencies are guilty of not properly managing their IT environment. By failing to effectively adapt with the changes in IT and the evolving cyber security threat, they have created an environment that makes it exceedingly difficult (or even impossible) to secure the data and systems.
“Many private sector corporations and government agencies are guilty
of not properly managing their IT environment, making it exceedingly difficult
to secure the data and systems.”
As examples, when I served at IRS and then at DHS, we would all-too-routinely discover IT systems outside of the IT organization’s purview that had been developed and deployed without the proper IT security testing and accreditation. This highly distributed approach to IT management leads organizations to struggle with managing and maintaining a dispersed infrastructure and disparate systems. In far too many instances, hardware and software assets are not systematically tracked, software is not routinely updated and patched, and critical hardware and software has reached end-of-life and, in some cases, is no longer even supported by the vendors. And while I am big proponent of cloud technology, I am concerned that many organizations are not necessarily using cloud capabilities to streamline and simplify their infrastructure, but rather creating new IT “stovepipe” infrastructures. This complexity of maintaining a sea of vastly different systems in an ocean of differing underlying IT infrastructures makes it increasingly impossible to properly secure such a complex IT environment.
“All too-routinely we would discover IT systems
outside of the IT organization purview had been developed and deployed
without the proper security testing and accreditation.”
There are many facets of IT management, but to make substantial progress that will result in both a more efficient and secure IT environment, focus on two major initiatives:
- Simplify your IT infrastructure
Any simplification of IT infrastructure has manifold benefits, not only in operating cost savings, but also making it easier to maintain and secure your IT environment. In particular,
- Work to reduce the number of operating systems you need to support
- Leverage cloud-based Infrastructure-as-a-Service (IaaS) and Platform-as-a-Service (PaaS) where possible
- Drive server virtualization in your own data centers
- Standardize your operations processes
Along with simplifying the infrastructure, drive standard processes for operations functions, and automate those functions where possible. In particular,
- Leverage existing service management practices, such as ITIL, to drive both efficiency, but also increase alignment with the needs of the customer
- Investigate means to automate processes with tools that can work across the whole enterprise — a piecemeal approach is what leads to vulnerabilities
There is much confusion regarding cyber security and the best way to protect data and systems. There is no single cyber security product or service that offers complete protection, and in my experience, without solid IT management practices implemented across an organization, many of the security tools are simply ineffective. There is just no easy fix — so start by driving improvements in IT management and then implementing your chosen suite of cyber security products.