Federal IT leaders are shifting focus from trying to secure every system to prioritizing the systems that need the most security controls.
“We realized that no matter how much we protected our systems, something could happen,” said Thresa Lang, deputy director of the Navy Cybersecurity Division, at CISQ’s Cyber Resilience Summit on Oct. 19.
The Navy created the Cyber Safe team to focus on securing the mission critical systems.
“We can’t pay to have everything 100 percent secure,” Lang said.
Greg Touhill, former Federal chief information security officer and president of Cyxtera Federal Group, said that the government needs to focus on keeping acquisition requirements simple and reinforcing courageous leadership qualities.
“We’re spelling out today’s requirements for tomorrow’s world,” Touhill said. “We’ve got to get back to the basics and focus on what effects we want.”
Touhill said that many Federal leaders are scared to make changes because they’re afraid of punishment if they fail. Touhill said that leaders won’t be able to get rid of risk but they have to make security decisions anyway.
“We’ve got to make some decisions because that’s what leaders do,” Touhill said.
Touhill said that IT leaders can use their influence to get what they want out of the acquisition process even if that means disagreeing with the acquisition officials.
“We have to throw Thor’s mighty hammer and just say no,” Touhill said. “Who in their right mind would go against the CIO and CISO when their thumbs are down?”
Therese Firmin, principal director and deputy chief information security officer at the Department of Defense, said that agencies shouldn’t be too stringent on their security requirements because they need to leave room for industry to offer innovations.
“We need to be able to accept the risk,” Firmin said.