CIOReview
Sign In

Subscribe to our Weekly Newsletter to get latest updates to your inbox
| | March 20178CIOReviewBy Maj. Gen. Earl D. Matthews (USAF, Retired), VP-Enterprise Security Systems, U.S. Public Sector, Hewlett Packard Enterprise [NYSE:HPE]Our Nation's National Security Strategy highlights the danger of disruptive and even destructive cyber-attack vectors. Today, government's cyber infrastructures are under increasing pressure from a variety of adversaries with a number of objectives, ranging from individual and organized criminals seeking financial gain, to nation states seeking political and military advantages, to activists and terrorists seeking to undermine basic values.Complexity and a lack of multi-domain planning increasingly undermine our government's cybersecurity. This situation does not have to continue. There exists the capability to protect the nation's data and cyber resources, but something is missing: strategic, risk-based cybersecurity programs that prioritize the nation's applications and data. Implementing this, however, means overcoming some particular challenges. Much like the space race in the 20th century, the U.S. needs a national program and timeline to address the critical issue of cybersecurity.Why is Good Cybersecurity so Hard?Part of the reason is the rapid advance-ments in cyberspace and the correspond-ing, and ever evolving cybersecurity threats. Lone hackers have been replaced by highly motivated, well-resourced or-ganizations, supported by a black market that commercializes the latest ex-ploits, and offers botnets as com-modities and provides a market-place for stolen information. However, the primary reason for why defense is so difficult can be summed up in one word, complexity.Most organizations have implemented a voluminous number of security products to protect their environment. Industries and organizations chase the next dazzling product instead of forming and implementing a comprehensive roadmap or cybersecurity plan. As a result, you have so many products without enough time to properly train your security professionals. Moreover, some newly purchased products remain in the box, unused. Resources continue to be used for extinguishing fires rather than learning how to prevent them.Cybersecurity efforts are also primarily focused on protecting an enterprise by blocking attempts to penetrate the system from the outside in. While there is a logic to this approach, ultimately it is a losing strategy in such complex environments.What can we do?We need to take a different approach and look at the methodology from the inside out. When you're looking at cybersecurity from the outside in, then you're just trying to deny intrusions. However, if you approach cybersecurity from the inside out, then you can think about it from the angle of, "what are my most critical applications and data".To leverage this `inside out' way of thinking, you can consider these lines of efforts:Risk-based focus: It is important to develop a risk-based strategy instead of a compliance-based strategy.A risk-based program focused on the most valuable and vulnerable assets enables you to use finite resources to defend those assets that are most likely to be targeted.Complexity and a Lack of Strategic Planning Undermine Our Government's CybersecurityIN MY OPINION01010Maj. Gen. Earl D. Matthews
< Page 7 | Page 9 >