Risk & Resiliency in the New Normal

The pervasiveness of smart devices, social media, mobility, and the proliferation of data, are making agencies more vulnerable to privacy breaches, fraud, and espionage from Cyber criminals, hackers, nation states, and insiders. Today, it may not be a question of “if,” but rather “when” your network and/or data will be compromised. Creating a more secure environment is more challenging and rewarding. Federal agencies are taking steps to be more proactive in detecting and deterring threats, and be more resilient to the many faces of risk. 

Tune in to learn more about Cybersecurity in the era of friends, allies, and invisible enemies.

Speakers

Linda Solomon, Principal, Deloitte Consulting LLP 
Amry Junaideen, Principal, Deloitte & Touche LLP 
Ryan Brewer, Senior Manager, Deloitte & Touche LLP.

Transcript 

Sean O’Grady: Hello and welcome to Insights. Every day, Federal agencies are the targets of millions of cyber attacks, whether they know it or not. Today we'll talk about how Federal agencies can be more proactive in detecting and deterring threats and more resilient to the many faces of risk. Joining this broadcast remotely from Washington, DC, are Linda Solomon and Amry Junaideen. Linda is a Principal with Deloitte Consulting and leads Deloitte's Homeland Security practice which has served the Department of Homeland Security since its inception in 2003. Amry is a Principal with Deloitte & Touche. He also leads the Federal Cybersecurity and Technology Risk practices. And here with me in the studio is Ryan Brewer. Ryan was the Chief Information Security Officer and Director for the Centers for Medicare and Medicaid Services, and he's now a Senior Manager with Deloitte & Touche.
We're going to begin in DC with Amry. Amry, how has the cyber landscape changed and what kinds of threats do you feel agencies are facing today?

Amry Junaideen: The cyber landscape has changed a tremendous amount over the last several years. Number one, the pace and rate of technology adoption that Federal government agencies are going through right now is tremendous, whether you are talking about cloud computing, mobile computing, the adoption of social media as a tool that's being used in business – tremendous change there. Also, the complexity of government operating environments including the sophistication of a global supply chain – I think that's another one. And the third item really is around the adoption of cybersecurity as a mission imperative. So those would be the three primary changes in the landscape.

In terms of threats, I would put them into three categories. First is the threat from nation states. There are nation states out there every single day waiting to steal our secrets, whether it's secrets about an F-16 jet fighter or about some aspect of our critical infrastructure. Second is the threat from various criminal networks that exist all over the world, particularly in places like South America, Asia, Eastern Europe, engaging in activities such as committing fraud on identity theft and things of that nature. The third threat category is around insider threat, the growing threat that comes from trusted insiders abusing their privileges to steal information and data.

Sean: Thank you very much for that, Amry. I'm going to bring it up here to New York and Ryan, who's sitting beside me. So, you were the Chief Information Security Officer of the Centers for Medicare and Medicaid Services. What were some of the major challenges that your organization had to address to carry out your mission?

Ryan Brewer: One of the main tipping points started quickly after I took the position at CMS where we had a data call from the Department of Homeland Security. After about four days of working with the teams, it was clear we didn't have good grasp of how many data centers we had working on our behalf and the number of IT assets in those data centers. So the strategy that we developed was quite simple. The first thing we had to do was figure out what we actually have running on our networks in real time. We executed a plan over an 18-month period to map out the topologies of all of our infrastructures across approximately 100 data centers and then roll out an enterprise-wide vulnerability management program. That led us to know in real time how many assets we had on the network on a daily basis within all those data centers.

Sean:The cyber landscape is changing every single day, how can you plan to be proactive to fight cybersecurity issues?

Ryan Brewer:It’s very challenging and a lot of organizations struggle with it and we did at CMS. What you have to do is actually take the benefits of situational awareness and everything that you’ll gather from that and not only explain it in cybersecurity terms, but also translate it into business language.

You want to be able to present that to the executives in a way they can digest it and it will resonate with them. That's the way you're going to be able to drive that change. Another key factor with that is leveraging all that continuous monitoring data. What you want to do is leverage that across the other programs so you can actually cut costs across those other programs. That's where you'll get a good return of investment for it.

Sean: Thank you very much for that, Ryan. I'd like to turn our attention back down to Washington, DC, and to Linda. Linda, given the accelerating frequency and the intensity of cyber attacks, it seems like it's becoming more of a question of “if,” not “when,” a Federal agency might be affected by these kinds of attacks. What steps do you see agencies taking to be more ahead and more resilient?

Linda Solomon: Thanks, Sean, and first, let me just say up front that the concept of staying ahead in cyberspace has a very limited time span as I'm sure we can all imagine, and, just to size the issue that our Federal government faces, the Department of Homeland Security reported in 2010 alone, the Federal government, all of its networks, experienced more than 450,000 cyber attacks on average each month. That's 15,000 attacks a day. So the issue is enormous, and the Federal government certainly is intensifying its efforts in the whole cybersecurity space. DHS is playing a key role in driving this focus specifically on the civilian side of the government, and as you might imagine, as is the case with physical security, the whole concept of a multi-layered security approach is critical to addressing cyber attacks and putting the right type of security in place.

I think there are three areas that the Federal government continues to focus on. One, protecting against attacks that occur every day, the 15,000 attacks I just talked about. The Federal government continues to expand the EINSTEIN program which is the early warning program that basically identifies unusual network traffic and patterns that allows security officials to identify and respond to potential threats. Two, the Federal government is focused on and must continue to focus on identifying vulnerabilities, weaknesses in the system.

You know, today, the Federal government, for the most part, has been faced with fighting this issue on an agency by agency basis. The Federal government must come together in more of a collaborative fashion, look at the entire picture in terms of threats, best practices that are being employed, and develop a comprehensive strategy towards attacking cyber [threats].

And then also, in terms of addressing vulnerabilities, really working with the private sector to make sure that the supply chain, a defense strategy is in place. And finally, we’ve got to anticipate future threats. The Federal government has get better at doing that; they have lots of data to use, to perform analytics on, and that is going to help in terms of moving the needle, in terms of identifying what threats are likely to occur in the future.

Sean: Wow, Linda, 15,000 a day. That's clearly a very staggering number. I'm just interested to know if throwing more technology at it is the only solution or are there other solutions to fending off these cyber attacks?

Linda Solomon: The simple answer, Sean, is no, technology is not enough and, like most efforts, beyond technology, people and culture play key roles. I bet if you were to ask any Federal agency today what their top challenge is in terms of addressing this cyber security issue, they're going to talk about the acquisition and development of skilled cybersecurity resources. It's a big problem. Federal agencies are working with universities and colleges to really help shape programs to ensure that the right people are getting developed and skilled in the whole cyber area.

Beyond the people challenge, I think there is also an important kind of cultural challenge from the standpoint of everyone plays a role, every employee in the federal government, every employee on the private sector side, every citizen in this country has to become more aware, has to take responsibility. We’ve got to take this topic seriously.

Sean: Linda, thank you very much for that. I'd like to return to Amry Junaideen who's there with you in the Washington bureau. Amry, how do agencies keep cost reduction from undermining the cyber progress to date and cyber initiatives going forward? How do those costs and keeping those costs under control not negatively influence the mission?

Amry Junaideen: I think it's a business reality that everybody is going to have some impact from a cost reduction perspective. It's a reality of a situation we're facing from a macroeconomic and a budgetary perspective, and even an important issue like cyber is probably not going to be immune from facing budget cuts and facing the threat of reduction of resources. So, what does this mean? This means that we've got to do more with less. If you take a page from the book of the private sector when we went through the great recession a few years ago, many private sector organizations, including those in the critical infrastructure area, had to basically do all kinds of creative things using technologies and all kinds of other techniques to do more with less, because that's the business reality.

So let's talk about two or three specifics. One is you're going to make sure that cybersecurity is tied to your mission and your mission objectives. If you basically regard security as a compliance check, I think, you lose the battle. So by [aligning to the mission], you basically protect some of the funding and keep it on the front lines of somebody's attention span.

The second thing is using all of the technological advances available to us from the variety of vendors that are out there to make sure we've got the latest in technologies that can actually help us monitor cyber risks and cyber threats and help us actually do this better. And the third element that I would focus on is to make sure that we're focusing on risks that have the highest impact to the mission.

The bottom line is if everything is the focus, nothing is. So having the process in place to make sure you understand what your specific risks are that undermine your mission and your objectives, I think those are some ways that you can make sure that your cyber environment is protected, is safe, and you're able to do it with less resource. Because let's remember, any effective operating environment needs to have good cybersecurity. That way you gain the trust and confidence of your stakeholders.

Sean: If everything is the focus, nothing is. Very interesting. I'd like to ask one last question. It's for all three of you but I'd like to bring it here to New York with Ryan first, and that is we've been talking about cyber and cybersecurity as it pertains to the Federal agencies, the US government, but really this appears to be an issue that is growing and not isolated to just the US government. This is something that is global, so looking into that crystal ball, how do we continue to fight against this in 2020?

Ryan Brewer: It's a good question. I mean, if you're going to learn from anything in history, let's look back 10 years. We were faced with operating system and application level vulnerabilities. Well, guess what? We're still faced with those today. We still struggle with them, and the malicious actors are still going to take that low-hanging fruit if they have a chance to. It's a simple business decision. Another key point is something that Amry alluded to earlier. If you don’t have a good understanding in real time of what your risks are within your organization, it's going to be really challenging and for you to recover from that, from any type of cyber event. Cyber events are global, so being able to recover from that is something you have to work on by knowing where your risks are in real time.

Sean: Amry Junaideen, back to you down in Washington, DC. How do you see cybersecurity in the next ten years?

Amry Junaideen: Ten years is almost a lifetime in this rapidly advancing technological world we live in, but if I can take my crystal ball out and think about that for a moment, number one, I think we need to have more adaptive risk management systems that try to keep up with the adversaries and our enemies out there. Right now, the issue is that we're always playing catch up. I think Linda alluded to this earlier. So in ten years, the first thing I would like to see is a more adaptive risk management environment where we are keeping up and perhaps even getting ahead of the threat environment.

Number two, Linda also talked about culture change. That's really important. Global culture change as it relates to cybersecurity, global cooperation among nations working together and helping solve this cybersecurity problem. Let's not forget that real trusted partnership between the private and public sector. And the third item, last but not least, is how about some artificial intelligence, self-learning, adaptive technology that identifies threats out there and figures out how to fix the problem with little to no human interaction. That'll be pretty nice.

Sean: And, Linda, your final thoughts?

Linda Solomon: Well certainly, Sean, my colleagues have hit on the critical topics and I certainly agree with their comments. I'm going to come at this from a slightly different perspective. I believe that from a management [perspective], driving towards results in terms of all the things that you know, the Federal government and private sector need to do in this arena of protecting our information and data networks, we've got to take on the approach of what gets measured gets done. I think that one of the critical elements of the go-forward plan as we march towards 2020 is going to be a uniform performance management system that we use as a nation to measure what we're accomplishing and understand where we're failing, where we need to take a different turn. That's got to be a focus of this effort. So I think you've heard the technical answer from my colleagues. I think it's also important to put the right performance measurements in place so that we can make sure that we are headed on the right path in solving this issue each and every day.

Sean: Well thanks for that, Linda, and thanks to all the guests for today's program. We've been talking risk and resiliency in the new cyber normal with Linda Solomon and Amry Junaideen in Washington, and Ryan Brewer here in New York. If you'd like to learn more about Linda, Amry, Ryan, or any of the topics discussed on today's broadcast, you can find that information on our website. It is www.deloitte.com/insights/us. For all the good folks here at Insights, I am Sean O’Grady, we will see you next time.

Join the Conversation