U.S. Department of Homeland Security CIO Scott Charbo was in the hot seat Wednesday, testifying before a Congressional subcommittee on the hundreds of security breaches that have occurred at various areas within his organization in the last couple of years. Some reports pin the number around 800, and they comprise everything from stolen laptops to Web site hacks.
Ironically, the problems exist at the very agency that “should be setting an example,” Khalid Kark, senior analyst with Forrester Research, told TechNewsWorld. The example that DHS should be setting includes taking a comprehensive view of computer security, not just a technical one, he stressed.
Techies in Charge
“In federal government,” he said, “the person in the chief security position typically is more technical. So they tend to rely quite a bit on technology.” That technology, he explained, often is a point, best-of-breed solution for each particular security issue. At a governmental organization like the DHS, with hundreds of separate departments, that can mean lots of point solutions and no overall plan.
“That’s what technologists do,” Kark stressed.
However, the DHS was formed several years ago by merging many government agencies, each with its own culture and approach to information security. What the organization lacks is the processes and procedures necessary to support personnel attempting to comply with security policies and use the advanced technical tools available to them to keep information safe, Kark argued.
For example, missing laptop computers are a common security issue for industry and government alike.
“We have so many breaches that we’ve come to the conclusion that any sensitive information needs to be encrypted and you have to augment that by having processes where laptops are routinely backed up,” Kark noted.
In fact, the DHS may have a security policy regarding laptops that provides state-of-the-art protection for the information residing on them — on paper, that is.
“They have a policy addressing a particular security element 99.9 percent of the time,” explained Kark. “The question is, are you really enforcing that policy, and how seriously?”
Thus, Scott Charbo’s challenge is not a technical one, but a management one. “You don’t start with technology, you start with process,” he said.
“They have to start broadly and do a gap analysis first,” Kark continued. “But right now, they’re not using a coherent strategy; they’re just scrambling.”