Advancing cybersecurity beyond compliance to resilience
Meghan Good has a blunt message for information technology managers: “If a malicious actor wants to find a way into your system," she says, “then guess what—they're going to find a vulnerability somewhere and get in."
That may sound like a taunt, but it's critical advice from a seasoned cyber-protector of some of America's most sensitive and complex information systems. Good, who is Vice President and Director of the Cyber Accelerator at Leidos, recently sat down to share hard-won insights into what it takes to bring today's highly distributed and sophisticated systems to the leading edge of advanced cybersecurity—even as these systems face the constant threat of attack.
Good has plenty of perspective to draw on. The Leidos Cyber Accelerator pulls together expertise from across Leidos, along with top experts and tools from leading industry partners, to solve cybersecurity challenges in the U.S. Department of Defense and other government agencies, as well as across the commercial sector. “We find the weaknesses in large environments, and then bring together the most promising technology solutions available in order to defend them," she explained.
Compliance isn't enough
One of the first tasks her team often faces in a project, she explained, is ensuring that everyone is on board with a plan that goes well beyond merely achieving compliance with government or other standards for cybersecurity. “Compliance with a set of rules or regulations is often seen as an end in itself," she said. “But our information technology environments are too dynamic for compliance to be enough."
The problem, she noted, is that a set of standards might be useful for protecting a system as it is today from the threats that exist today—but the system and the threats will be different tomorrow. “You don't want to rely on a plan that's based on a snapshot in time," she explained.
A second misconception Good's team sometimes faces is that the entire point of cybersecurity is to prevent all possible breaches. Not only does the rapidly evolving nature of cyberthreats make that virtually impossible, Good said, but focusing on it can blind organizations to the equally important need to ensure that systems don't catastrophically collapse when the inevitable breach does occur. “There has long been a stigma around having security vulnerabilities anywhere in your system," she said. “But you need to assume there will be breaches and ensure that when they happen, the system and organization respond effectively."
The appropriate goal isn't invulnerability, Good explained, but resilience. “The system should be able to function through and recover from unforeseen adverse events," she said. That means quickly identifying an event and responding immediately to prevent further damage and maintain needed operations. “You're not blocking every possible breach," she said. “You're waiting for the breach, and you're prepared to out-maneuver it to keep mission-critical functions safely operating."
Good suggested that achieving cybersecurity resilience requires moving away from the mindset of building a system's functionality first and then adding in the security and resilience later. “The reason cybersecurity has long been seen as a cost is that it has often been done at the end of the system development process," she noted. “But it must be part of the process from initial system design, through development and prototyping, and into deployment. That way, security, and resilience are integrated with function, and they're all seen as a value together rather than just as a cost."
Building in that deep integration requires engineering discipline, as well as keeping up with development best practices and the latest tools, Good noted. Doing so enables the successful implementation of “zero trust" security, in which every action that involves accessing the system or data is treated as if it is potentially the work of a malicious actor.
Admit, share, and improve
A big element of state-of-the-art cybersecurity is one forged outside of the actual system, Good claimed—that element is sharing security information with other organizations. “Knowing what challenges others are experiencing and what they're doing about it helps a lot," she said. That includes sharing that an organization has experienced a breach, she emphasized—something that only half of all organizations do, according to a recent statistic. “There's a lot of work to be done in getting managers to accept that these incidents are part of the landscape," she said. “Admitting it and sharing knowledge about what happened and what can be done about it is how you show real leadership and build resilience."
The federal government is one leader in this sort of sharing, having established a strong “collective defense" program of promoting and facilitating inter-agency sharing of cybersecurity issues, Good noted. She added that most commercial industries now have similar programs, often establishing formal security reporting and analysis centers. “It's important to have safe spaces to share this information," she said. “Even senior government leaders are talking about it now."
U.S. military leaders are certainly focusing on advancing cybersecurity. According to Good, this is because many of the security challenges are amplified in warfighting. “There are so many more things that are digitally interconnected now in a war situation," she pointed out, “Command and control is no longer just about a person giving orders to a set of troops in a physical battle space. It's often data that's driving what's happening moment to moment." Sometimes, the battle is entirely one of cyber warfare, she added, with both sides looking to penetrate, disable, or corrupt the other's systems. “Security and resilience have become a critical part of the active battle space," she said. “The new threats are constantly evolving and becoming more complex."
As the cybersecurity problems become harder in defense and elsewhere, the drive for new solutions will have to draw on ever more innovation and sophistication, predicted Good. But she expressed confidence the protectors will keep pace—largely thanks to new generations of talent. “Children today are growing up thinking about cybersecurity," she said. “You don't have to tell them not to share passwords."
Good recalls her first assignment on a cybersecurity team when she was the youngest and the only woman on the team. “One of our first incidents included some communications on Facebook—and I had to explain to the rest of the team what Facebook was," she said. “When I see the diversity and new talent coming onto today's teams, I'm confident they'll bring us the new perspectives and ideas we'll need to solve tomorrow's problems."
For more details, we invite you to listen to our podcast – Cyber challenges from attacks to Zero Trust with Meghan Good