Through the years, Symantec's Jim Russell has offered this blunt assessment of FISMA: It lacks “teeth.“ The current law's inability to hold agencies accountable for data breaches, plus staff and budgetary issues, have driven inaction by many smaller agencies. Forty-two percent of them don't even have dedicated IT staff. But the tide is turning. More frequent cybersecurity breaches, as well as the Obama administration's reliance on a more open “Blackberry PDA-device world,“ are contributing to increased IT budgets and staff. A stronger version of FISMA is likely to follow. “FISMA will get more teeth and will be enforced much more stringently,“ predicts Russell, vice president of public sector at Symantec. In advance of that day, Russell recently offered ExecutiveBiz his take on how you can help smaller agencies develop a stronger cybersecurity posture “” sooner rather than later.
1.) Identify each endpoint in the agency environment. Just a few years ago, an endpoint was a PC or laptop. No longer. These days, endpoints include devices such as Blackberries and cell phones. That's why it's so crucial to ask, “What's the environment we're trying to protect?'“ “Understanding what's out there as far as hardware as well as software is a challenge,“ says Russell. “What we've found with some of the smaller agencies “” and the actual work with contractors “” is that although a comprehensive security strategy may be in place, points of vulnerability will always exist “¦ which means protecting information is just as important as protecting endpoints.“ In Symantec's case, its acquisition of Vontu a few years ago now affords the company the ability to lock down personally identifiable information and engage in data loss prevention. “That's what we want to see in a perfect cybersecurity world “” prevention,“ says Russell.
2.) Stay informed of the security landscape. “Staying informed is actually pretty easy as long as you have time to read reports on a regular basis,“ says Russell. Along with Symantec's Internet Security Threat Report, a number of companies routinely put out reports that offer different ways of monitoring the threats: everything from internet traffic to what goes through military and unclassified networks. Also, the Department of Homeland Security's US-CERT website provides links to various online services and reports.
3.) Use layered security. “Employ defense in-depth strategies including the deployment of antivirus software, firewalls, and security patch updates,“ says Russell. “Attackers today are increasingly sophisticated and organized,“ he adds, “smaller agencies need to augment these traditional antivirus solutions today with easy-to-use, all-in-one suites that protect critical business assets.“
4.) Back-up data. “No matter how much you buy or implement, you're not going to have a completely 100 percent “˜safe security' solution,“ says Russell. “That's why you need to back-up your data “¦ [for example] say that someone is able to penetrate or compromise it, you must have a way to retrieve your data or, if need be, to close down things so that you can address the needs and get a separate copy of your data.“
How are you helping smaller agencies strengthen cybersecurity? Share your comments here.