After Fed Government Shutdown, Time to Rethink Your IT Security
Recovering from the latest federal government shutdown reminds Christopher Kennedy of taking an aircraft carrier out of the mothball fleet. A former Marine and official with the Treasury Department, Kennedy has worked in cybersecurity for more than 20 years, including stints in the private sector. His current job, announced January 24, is CISO and vice president of customer success with AttackIQ, a security vendor that focuses on continuous security validation. With one federal government shutdown behind us, and the threat of another one a few weeks away, the aircraft-carrier metaphor is a good one for Kennedy: it illustrates how difficult it can be to re-open the U.S. government after several weeks, especially when it comes to cybersecurity, which is considered part of the country's critical infrastructure. Despite the fact that cybersecurity is top of everyone's mind these days, the shutdown showed how fast problems could accumulate within an organization’s infrastructure. For instance, since SSL certificates were not renewed, websites such as the U.S. Justice Department were not available. On a tactical level, the cybersecurity ramp-up following the government shutdown is fairly straightforward: employees come back to work, systems are checked, licenses that may have expired are renewed, and those already manning the most mission-critical infrastructure can get a much-needed break when returning employees step in. The most complex part is the employees. Whether full-time government workers or contractors, the extent of the recent shutdown (35 days) and the damage to the economy ($11 billion) is a serious blow to a workforce that has a sense of mission and craves stability. "The bigger picture is that you created a lot of instability in an institution that is highly stable," Kennedy told Dice in an interview. "People who are federal employees are workers that answer a call to service, but who are also looking for the stability of work. Now, everything is complicated because you still want to draw that mission, but the job doesn't offer that same stability. I'm not sure how long it takes to recover from that." This type of disillusionment with work can lead to insider threats against an agency or organization, whether employees not fulfilling their duties, or the more extreme example of a worker selling data or access to systems and networks. For Kennedy, countering some of these lingering feelings requires CISOs and other security and IT leaders to build a better level of communication into their security posture. He calls this "if you see something, say something" culture, where workers feel they can raise concerns about colleagues who are acting inappropriately or still feeling lingering pressure from the shutdown. "It starts from the top. It's got to be something that the most senior executives in the organization create as part of the culture," Kennedy said. "It's about saying, 'Hey, we're getting back to work, let's get back to work. We have an important mission, let's get it done and security really matters here. We understand that we all have been through a lot here but we're in this together.' You can spin it positively but at the same time acknowledge the risk." For government CISOs facing this situation (and possibly a similar situation in a few weeks), Kennedy offers a six-point checklist: