Not All Regs Are Equal
Why so? Primarily report-driven compliance leads to a false sense of security. Treating various rules and directives equally fails to account for changing technology, risks and threats. But compliance requirements won't disappear. What should you do?
Understand the Threat Environment
By understanding the threats, knowing the latest government IT trends and collaborating with your peers your job will become more manageable.
Attackers are persistent; their tactics constantly change. Still, you must be aware of the changing threat landscape. Verizon Business conducted a study of more than 90 confirmed data breaches in 2008, concluding simple mistakes and omissions made by the victim organization - leaving a default username and password enabled on a public-facing interface, for example - facilitated most breaches. Bottom line: don't get too bogged down with unusual, highly technical vulnerabilities and exploits. Most attacks go low tech and come in through the front door.
Know the Federal IT Trends
Thought much about cloud computing or the implications of deploying open source applications? You must.
The Obama administration will encourage adoption of many emerging technologies, and security managers will be charged with making sure they can be used securely, soundly and resiliently.
Visit whitehouse.gov and you'll see a site built with technologies that haven't been used extensively in government before. Get used to it. As systems managers and owners become comfortable with the newer technologies, IT security pros must know how to defend them.
The latest IT security technologies - intrusion detection and cyber early warning systems - are only as effective as the communication paths between the people who run them. When we share knowledge and information, we multiply our effectiveness and are better positioned to address dynamic and emerging threats. Workgroups, peer forums and public-private partnerships also present some excellent networking and learning opportunities. Check out the NIST-sponsored Federal Computer Security Programs Managers' Forum where federal government security professionals meet five times a year.
The state of security will get more complicated and, perhaps, more bureaucratic as efforts to reform FISMA could add an additional layer of oversight from the White House in the form of a cybersecurity czar.
Even with reform, regulators and standards bodies will continue to develop federal IT security rules and guidance. By understanding the threats, knowing the latest government IT trends and collaborating with your peers your job will become more manageable.
Eric M. Fiterman is a former FBI special agent and founder of Methodvue, a consultancy that provides cybersecurity and computer forensics services to the federal government and private businesses.