Changing security mindsets for a changing threat landscape
It would be easy to keep important things secure from prying eyes if you sealed them in a box and chained the box to the bottom of the ocean. The tradeoff, of course, is that you would completely lose the ability to access or use them.
Utility versus security seems like a stark choice. Headlines regularly document data breaches, intrusions by hostile adversaries and compromises of critical infrastructure. Data, applications and other vital tools are either available and vulnerable or they’re at the bottom of the ocean, with nothing in between. Yet, no organization can function that way, especially the public sector. The IT director who is perceived as constantly saying “no” to innovations will quickly lose a seat at the strategy-setting table.
That’s why Lumen recently participated in the ATARC 2021 Cybersecurity Innovations Summit on June 2. We brought together a body of government security executives at both the federal and state level to discuss strategies that minimize risk and maintain the innovation upon which the public sector thrives. It should not be a stark choice. Both security and utility are requirements for our digital ecosystem.
The summit was organized largely around two panel discussions, one focused on federal cybersecurity needs and the second on state needs. These needs certainly overlap, but the panels are tailored to their particular public sector segments. The federal panel places a greater focus on innovation and security in the context of federal IT modernization mandates and the federal government’s unique mission sets. The state panel’s point of view is the creation of new ways to interact with citizens and develop public services – all while building security into the architectures and practices deployed.
New mindsets drive new strategies
These are important discussions for us to share today because the threat landscape continues to change. It used to be that improving cybersecurity was a question of size; bigger firewalls were better than smaller ones, like a deeper ocean would be better than a shallow lake in my opening analogy.
However, this approach doesn’t work anymore. Malicious cyber actors are much more sophisticated and the complexity of the systems – from the cloud to the expanding network edge – we’re protecting has soared. And the harsh truth is that the consequences of cyber incidents continue to threaten public safety, economic and national security, and the resilience of the systems upon which we have built American society.
One of our goals in hosting the summit was to discuss two changes in mindset that are necessary to preserve innovation while maintaining security. The first is to stay focused on the outcomes you’re trying to create. What systems and data flows can create that value? You need to build the right framework to deliver on your mission. Then you can explore what needs to be secured to realize that mission. This approach preserves the innovative spirit that public servants share. Security functionality should be built into the network and many of the other components of that operational architecture.
The second mindset change is to assume that your systems will be compromised in some way. That might seem counter-intuitive, but it’s the start of a new way of thinking about security in our new reality. As we’ve seen with some of the recent highly complex attacks, intruders can persist in our systems and networks without being discovered using traditional approaches. They infiltrate our extended systems of vendors and suppliers looking for a single chink in the armor. Firewalls and traditional security technology are still important, of course, but we need to think in terms of layers of protection, rapid threat detection for response, and zero trust models of access – not just deeper oceans. By assuming some form of compromise will happen, we are less likely to be caught flat-footed and can be prepared to act.
There is still much more to talk about. But in case you missed it, watch the replay of the ATARC Cybersecurity Innovations Summit, sponsored by Lumen, to learn more.
This blog is provided for informational purposes only and may require additional research and substantiation by the end user. In addition, the information is provided “as is” without any warranty or condition of any kind, either express or implied. Use of this information is at the end user’s own risk. Lumen does not warrant that the information will meet the end user’s requirements or that the implementation or usage of this information will result in the desired outcome of the end user. ©2021 Lumen Technologies. All Rights Reserved.