The Importance of Bridging the Public/Private Industry Gap
Posted by Frank McLallen
Every so often we read articles that speak of public/private industry collaboration toward best practices in the field of cyber security. We hear of working groups, industry forums, training and collaboration, and even private industry executives testifying before congress regarding their experiences. But after all the hoopla and posturing, it seems all parties return to their corners and go back to doing what they do best. In the private sector, it’s typically a continuous balance of making risk-based decisions consisting of implementing appropriate controls for the value or criticality of the systems containing the organization’s information. Yes, there is an element of compliance in many cases, but ultimately the decision always comes down to a financial calculation of what is at risk and what a company should spend to mitigate that risk.
In the public sector, checklist-based compliance mandates focusing on one-size-fits-all policies such asFISMA, DIACAP, and NIST guidelines are the norm. Years and years of ongoing point-in-time assessments are performed over and over again, only to reveal patching deficiencies and existing exploits that should have been captured and considered as part of any best practices cyber program. The difference is that the public sector is motivated and managed by getting checks in the compliance boxes, and public sector cyber providers are motivated by keeping proverbial “butts in the seats,” rather than receiving compensation for providing leading-edge solutions and real-time sustained decision support. In fact, many government contractors shy away from efficiency and automation because it can reduce the precious recurring revenue stream that results from mundane FISMA and other compliance audits. Pointing out agency vulnerabilities always creates sufficient fear-factor to maintain the status quo.
The bottom line is that commercial contractors who protect large financial services, energy, transportation, health care and other critical commercial infrastructures are better incented by their commercial clients to provide innovation, speed to implementation, and enhanced cyber solutions. Multi-national banks have all the same confidentiality, integrity, availability, and accountability issues as the majority of government agencies. And yes, multi-national banks have deep pockets as well. But, they do not have the luxury of getting it wrong. One data breach can cost millions in direct financial loss, brand degradation, and loss of paying customers and investors, and might result in total failure. So, multi-national banks pay for security providers to deliver the best solutions, at the fastest speed, and always balance risk versus budget during the process. The public sector can learn a lot from this model. Not so much from what is the new or hot technology, but rather from leveraging innovation, speed, and performance from the best practices and efficiencies learned in the private sector.
There are certainly government contractors who provide cyber innovation and can view themselves among the best security professionals in the world. But unfortunately there are far too many that are content to source bodies and perform mundane certification and accreditation tasks. For evidence of this point, one need only look at why so many large government agencies still struggle to even understand the most basic nuances of their network, let alone really make effective risk-based decisions. Is it the internal agency politics? Or is it that government agencies simply make it too easy and profitable for government contractors to put and keep “butts in seats”?