It looks like the federal government has a plan for cybersecurity. Or, at least it has an outline for what federal agencies should be prioritizing. Howard Schmidt, the man in charge of coordinating cybersecurity for the White House, said in a blog post that he realized it was time federal agencies focus their attention on the most effective controls, which Schmidt listed as:
The reason for picking these three primary areas? Schmidt explained:
The purpose in selecting three priority areas for improvement is to focus Federal Department and Agency cybersecurity efforts on implementing the most cost effective and efficient cybersecurity controls for Federal information system security. Federal Departments and Agencies must defend their information systems in a resource-constrained environment, balancing system security and survivability while meeting numerous operational requirements requires robust risk management.
I think there is a huge takeaway from Schmidt's plan for the private sector. According to Schmidt, an effective cybersecurity strategy has to be developed despite the fact that agencies are working with limited budgets. His thinking is that by focusing on a few areas that have high effectiveness, you have a start at protecting data.
Enterprises don't have unlimited budgets, either, and cybersecurity often seems to be one of those areas that gets shoved under the carpet. It's pushed off to IT managers who understand the basics of protecting a computer or a network, but may not know the best ways to practice cybersecurity. Or the security personnel who are on staff are stretched thin trying to cover everything.
This may be a situation where it is better to take care of the biggest problems first, rather than trying to focus on too much. Take Schmidt's reasoning for including strong authentication in his mix of effective controls. He wrote:
Passwords alone provide little security. Federal smartcard credentials such as PIV (Personnel Identity Verification) and CAC (Common Access Cards) cards provide multi-factor authentication and digital signature and encryption capabilities, authorizing users to access Federal information systems with a higher level of assurance.
It's one small step, really, that any limited budget should be able to implement and put into regular practice, and, yet, it can go a long way to prevent data breaches or to protect data on devices that are lost.
I know, it sounds incredulous that we might use government as the example on how to improve any business practice, but Schmidt's ideas on cybersecurity are something to pay attention to.