Last Updated: 2009-11-23 18:55:11 UTC
by John Bambenek (Version: 1)
On the heels of a recent Govenment Accounting Office (GAO) finding that many US federal agencies still are failing to adaquetly protect their systems, the National Institute for Standards and Technology (NIST) has issued new draft guidelines to revamp how the US government protects its own networks and to make up for the perceived failings of FISMA. (You can find the new guidelines here). While still in draft form, it appears the philosophy was to front-load security considerations and monitor throughout the life of the resource.
Ultimately, it's part of the ages old problem in security. Most organizations exist for reasons unconnected to cyber-security so how do you get them to invest in something that isn't their core business or necessarily increases sales (or decreases costs). For private organizations, regulation comes into play where organizations are forced into a security posture under threats of fines. This is so prevalent, I've heard more than once when presenting risks that "if there's not a law or regulation, then I don't care". It's a special problem for governments because regulations are not as "binding" on the same entities that enforce governmental regulations to begin with. The problem the US has (and other governments for that matter) aren't difficult ones to solve, they are known vulnerabilities or gaps with known solutions. The problem is making it part of the culture and getting the investment.
Businesses, also, have to deal with lost business or lawsuits in certain types of data breaches while, generally, the government faces no such risk. This paper has tips for selling security to management, but not all of it applies in governmental shops. Ultimately, it comes down to awareness, good risk analysis with costs and benefits and solid policies.
What are your tips for making the sale for security in government shops? (Will post the best answers in a follow on diary Wednesday)
bambenek at gmail /dot/ com