By Stan Lowe, Global Chief Information Security Officer, Zscaler
In many realms of life, there’s a difference between compliance and excellence. For instance, you could build a house that complies with all local zoning and coding regulations, but that wouldn’t necessarily make it a place anyone would want to live. And we’ve all known the “A” students who study hard and memorize lots of details so they can get a high grade on a test, but don’t actually understand or appreciate what they’ve learned when it comes time to write an essay about it.
In terms of cybersecurity, the difference between compliance and operational excellence is especially pronounced for federal agencies. Traditionally, cybersecurity in the federal government is a compliance-driven activity, due to the huge amount and multiple layers of oversight that federal agencies receive from Congress, the General Accounting Office (GAO), and Inspectors General (IGs). All of these entities require checklist-based evidence showing that agencies have followed all the certification and accreditation rules when granting their Authority to Operate (ATO). Some agencies have hundreds of systems for processing these rules and have large organizations staffed with compliance experts specifically to produce, track, and curate the required documentation.
The considerable oversight and requirements lead to a situation in which agencies are more worried about complying with regulations, and showing they’ve done so, than about actually securing themselves or the government from operational threats. Agencies end up focusing on questions like “Are we compliant or not?” and “Do we have documentation that proves we are compliant?” when they should be concentrating on the much more significant question about whether they are creating a world-class operationally focused security program that ensures the security of the enterprise and its mission. Emphasis on compliance activities can inadvertently cause agencies to deemphasize other important aspects of their operations, such as understanding their complex environment and its activity, as well as what “excellence” really looks like for their agencies.
This isn’t the fault of the agencies themselves, but rather the way cybersecurity is approached in the federal space, where agencies are constantly required to prove that they are doing what they say they’re doing through elaborate documentation—and they’re rewarded for doing so. Security shouldn’t be measured by how well an agency does paperwork; that’s akin to driving your car using the rear-view mirror. It should be measured by how well an agency performs actual cyber operations. If federal agencies concentrate on operational excellence, the compliance aspect of cyber happens organically as a result of that effort.
An operational imperative
Federal agencies are moving to cloud-based applications and operations. Sometimes the move is supported by agencies’ security organizations and sometimes not, but it is happening, nevertheless. The use of cloud services makes compliance even more onerous and confusing, and agencies are left to make individual decisions based on their understanding of compliance as it relates to the cloud. For the mission areas, compliance is often viewed as an obstacle to go around, over, or underneath.
Fed-RAMP was designed to help agencies securely use the cloud and save the government a tremendous amount of money in the process. By using a cloud security platform that has Fed-RAMP approval, agencies can offload much of their compliance burden. While it’s not a panacea—and a Fed-RAMP approved platform like Zscaler can’t eliminate all compliance issues—it can enable agencies to turn their focus to securing the mission and to operational excellence.
About the Author
Stan Lowe, a cybersecurity and technology executive, has successfully led transformational change in large, complex environments, as well as small and mid-size cybersecurity and IT organizations. As Zscaler Global Chief Information Security Officer, Stan oversees the security of the Zscaler enterprise and works with the product and operations groups to ensure that Zscaler products and services are secure. Part of his focus is to work with customers to help them fully utilize Zscaler services and realize the maximum return on their investment. Prior to joining Zscaler, Stan served as the VP & Global Chief Information Security Officer for PerkinElmer, where he was responsible for global enterprise security and privacy. He has also been a Cyber Security Principal at Booz Allen Hamilton. Stan has extensive federal experience, serving as the U.S. Department of Veterans Affairs (VA) Deputy Assistant Secretary for Information Security, Chief Information Security Officer, and Deputy Chief Privacy Officer, as well as Deputy Director of the Department of Defense/VA Interagency Program Office. Before joining the VA, Stan served as Chief Information Officer of the Federal Trade Commission. Stan’s public service record extends to the U.S. Department of Interior in the Bureau, the U.S. Postal Service Inspector General, and the U.S. Navy. Stan has also served as an executive in several technology startups and currently serves on several boards advising on cybersecurity. He is a frequent speaker and writer on security topics.