In today’s environment, many organizations – across government, academia, and the private sector – make the unfortunate mistake of conflating cybersecurity with cyber compliance. And it’s easy to understand why: There are mountains of guidelines and standards to which these organizations must comply. It’s hard not to be compliance driven.
The difference, while subtle, is important. Compliance is a lagging indicator of a security profile. It takes time to develop standards, gain consensus, share them, implement them, and then update them consistent with operational realities. By the time you do that, the adversary has already figured out the next thing – the thing that’s not included in your compliance standards – while your attention is on checklist management.
Compliance protects organizations against legal risk but not against true security risk. When you’re compliance-focused, you’re working toward building compliant systems rather than truly secure ones.
“Compliance protects organizations against legal risk but not against true security risk. When you’re compliance-focused, you’re working toward building compliant systems rather than truly secure ones.”
Dr. John Sahlin
Director, Cyber Solutions – Defense
For this reason, organizations must move beyond compliance alone. They must be forward-looking and security-minded, with the understanding that if they are, they’ll inevitably map to compliance. After all, at the end of the day, compliance is table stakes. “Doing things right” is compliance; “doing the right things” is security.
So, what does it take to become truly cybersecurity focused?
First, a secure cyber approach begins with architecture. It’s about conducting secure systems engineering with the business need or the mission need in mind and creating architectures that reflect those needs. This involves asking questions like: How do I secure the critical data assets that are vital to the mission; what are those assets; and how should I protect them differently than other non-critical assets?
Performing this security-minded assessment is key. Having the conversation early means you’re not forced to make those decisions in an ad hoc way in theater. Think about it as if your house were on fire: What’s irreplaceable, what would you grab, where is it? And wouldn’t it be easier to have a go-bag ready rather than making decisions under duress?
The second element of a cybersecurity focused approach is resiliency. Once you’ve built a mission-focused technical architecture that maps to critical data assets and functions, your next challenge is not to prevent any possible attack, but to build resiliency.
It’s a bit like boxing: You can’t bob and weave around forever; you’ll exhaust all your energy, and you’ll eventually get hit anyway. Instead, good boxers learn to take a hit, bounce back and stay in the fight.
A third critical element in cybersecurity: A shift in thinking from trusting users and systems within the security perimeter to trusting nothing and no one and focusing on protecting data. Zero Trust is getting a lot of hype right now, and for good reason. At its core it’s about protecting data at the data level. It’s rooted in an understanding that some data is critical to the mission and, thus, needs to be protected differently. To do it, you might add a layer of security around certain things that you might not add to everything. This is security at a micro level, understanding that a perimeter approach doesn’t work. We have to look at data differently, rather than thinking we can protect the whole system.
Of course, the key to all of this is the ability to operate at machine speed, which requires the right people and the right technologies applied in the right places. The average time for a bad actor to move from one segment of a network to another is, on average, 90 minutes. One-third of them can do it in 30 minutes.
It’s impossible to expect a human to detect and respond to every potential incident that quickly. So we need technical, automated, real-time solutions that work in concert with human analysts – because the challenge isn’t to identify redline behavior; the challenge lies in reading between the lines.
Machine learning and artificial intelligence can easily detect the non-conforming behavior but require human-machine teaming to investigate and interpret the nuance. Together, human analysts help build and train AI/ML models that get smarter over time, and identify adversaries that present – not as needles in haystacks – but as interesting needles among stacks and stacks of needles.
This is the approach we take with our clients at GDIT. We work side by side with them to build truly secure environments, rather than just compliant ones, because – again – we know that if you operate with security in mind, you’ll inevitably map to compliance and be ahead of the game at the same time.