Dan Jacobs says agencies should treat security like a team sport and avoid falling in love with the latest cyber products.
The key to protecting information and applications stored in the cloud has more to do with the organizations using the tech than the platforms themselves, according to a federal cloud security expert.
When it comes to cybersecurity, it’s easy for agencies to become enthralled by the latest products and services, but even the most cutting-edge tool can’t replace solid risk management and security practices, said Dan Jacobs, the senior security architect for the Technology Transformation Services and Centers of Excellence program at the General Services Administration.
As agencies move more of their operations to the cloud, it’s important that they approach security with a focus on people and processes, not just procurement, he said.
“Many of the problems we face as a security community aren’t actually technical problems at all,” Jacobs said Tuesday at a lunch hosted by Symantec and produced by the events division of Government Executive Media Group, Nextgov's parent company. “Many times they’re human problems. If we’re not equipped to deal with that, we’re going to continue to bang our head against the wall trying to figure out the way forward.”
But despite years of warnings from cyber experts and oversight groups, the government is still struggling to implement even the most basic measures to lock down its sprawling IT infrastructure. Referencing a recent Government Accountability Office report that found most agencies still lack effective cybersecurity plans, Jacobs said agencies will need to improve their execution if they want to keep information safe in the cloud.
Beyond planning and policy, Jacobs said the government also stands to benefit from treating security like a team sport and investing threat intelligence, bug bounties and other crowdsourced security practices.
“Agencies that operate their security in a vacuum should expect to suffocate,” Jacobs said.
He also advised feds to rethink the types of skills and experiences they look for when recruiting cybersecurity professionals, something other federal cyber experts have also recommended. Resumes don’t always reflect expertise in a field like cybersecurity, he said, and the government’s current hiring process may overlook those with less traditional backgrounds.
As the government works to improve its internal security practices, researchers are finding the changing threat landscape will force agencies to take more responsibility for their own security, at least when it comes to the cloud.