By Amanda Lowell, Security+CE, RDRP
Folks frequently reach out to BAI to ask, “Which security controls are required for X kind of DoD system?” It’s a valid question that can also be indicative of a common misconception.
The short answer is, you will have certain control overlays for your information system, such as privacy, standalone, classified, etc., that are required based on the type of system, information processed, and specific use case.
The common misconception for security professionals in the public sector, which I hope to address in this article, is that a “check-the-box” mentality is an adequate philosophy in cybersecurity and the antithesis of the goal of risk management.
Before I make anyone angry: I understand that most of our audience is in the Federal and DoD space, facing myriad legal requirements. These folks are only looking to ensure that they don’t miss any requirements that could result in someone losing their job or going to prison. The challenge of the modern professional in the governance, risk, and compliance (GRC) sphere is that they are not only responsible for legal requirements but also appropriate due diligence. The checkbox mindset represents the “Compliance” aspect of GRC only in part.
As anyone can guess, threat actors do not care about our legal requirements. If anything, requirements shine a light onto our strategic focus as a nation, allowing threat actors to prioritize the gaps in our frameworks and controls. With all due respect to our lawmakers, the U.S. government is naturally going to lag in creating regulations to address current events and issues. We only have so many resources to allocate to our org’s security, and nothing is more delightful for an adversary than a red herring, such as spending millions on security products to cover your antivirus/auditing requirements, while keeping end-of-service-life systems with known vulnerabilities in production.
So, the purpose of GRC in cybersecurity is actually to get away from a checkbox mentality, instead building a comprehensive security program that enforces auditing, accountability, and due diligence to fit the risk appetite, budget, and mission of the organization. Due diligence is the opposite of a checkbox mentality–it’s being willing to disturb the status quo, ask seemingly dumb or irritating questions, and dig beneath the lip service for the sake of identifying the real problems at hand and how they are being addressed.
Some questions you can ask within your security program to dig deeper:
- Which security functions do I have the least visibility into?
- How are the results and effectiveness of security functions validated?
- Are there any areas that I’m just trusting are secure?
- Which security controls are giving me the biggest bang for my buck (i.e. perform multiple functions)?
- Which security controls can be consolidated (i.e. antivirus + endpoint logging = EDR/XDR)
- What risks/threats are keeping me up at night (for good reason)?
- What roadblocks, if eliminated tomorrow, would make the biggest impact for our team? Our organization?
- When is the last time I checked up on changes in legislation and industry standards?
- Which security leaders and news am I listening to? Have I pigeon-holed myself into one particular sector or think tank?
- What are my knowledge gaps? Are there knowledge gaps on my team? What are some practical ways to fortify those?
The wonderful thing about due diligence is that its fruits will undoubtedly fulfill a large majority of legal requirements. Then you just have to document your evidence and fill in the gaps!
In essence, GRC is where cybersecurity and legal coalesce. It’s tough to identify where one begins and the other ends for a security professional, and the standards are still changing as more security legislation is created and judicial precedents are set. The bottom line is: We must be champions of compliance while also performing due diligence to minimize the likelihood and impact of cyber threats. And if you have ever asked, “Which security controls are required for X kind of DoD system?” Thank you for letting me pick on you for a minute.