The Government Accountability Office has just published a new report on cyber and the title says it all - Cybersecurity: Actions Needed to Strengthen U.S. Capabilities. If you are a security professional, you don't need to read this one. It says the same thing every report like it has said over the last 20 years. They even recommend patching and O/S configurations, training, better incident reporting, and the ever present "metrics". None of this has worked, and will never work until there is some accountability and oversight from outside each individual agency.
The consistent problem with cyber is management of it. The idea that someone can accept the risk of operating a system with major findings is beyond me. We frequently found managers who would accept any risk [in one case a manager accepted the risk that some not the users did not have security clearances on a system processing classified information] no matter what the potential risks. There is no oversight on this process at all. There is no external penetration testing from a external group. Any findings from inside are papered over and put on endless lists of things that need to be corrected some day. That part is absurd.
Our Federal government has trouble keeping security professionals because anyone who is good at the job will not live under this type of regime. They do their job, only to have some person who knows next to nothing about cyber defenses decides to accept a risk for data that he/she often doesn't even own. It is not that manager's risk to take. This allows IRS to get hacked twice in the same year, OPM to lose that security clearance data, the Obamacare website to be deployed without security testing, and many, many more.
I am tired of having my data stolen from people who don't give a damn about anything except their next promotion. We need aggressive action to oversee the kind of testing and risk acceptance being done by agencies. Nobody can survive in the dream world where following NIST "guidance" will never make a system secure, and any manager wanting to avoid responsibility can decide to accept the risks.
No comments:
Post a Comment