Internet Explorer 11 is not supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

The 1,000-Day Information Security Strategy We Need

In many ways, our digital infrastructure was unprepared for the pandemic's challenges. Now is the time for a longer-term cybersecurity vision.

shutterstock_458190886
(Shutterstock)
A recent article by Melissa Hathaway for the Centre for International Governance takes public leaders to task for failing as COVID-19 first emerged to prepare the public for "a 1,000-day journey" in overcoming the virus's public health and safety threats. "Instead," Hathaway wrote, "our leaders managed the announcement of the pandemic as they would a quarterly earnings forecast, asserting that everything would be fine by the next quarter." Obviously, that wasn't the way things worked out.

Hathaway was using that early pandemic response, focusing as it did on a mere 100-day horizon, to make the argument for resiliency in our digital infrastructure, which in many ways was unprepared for the surge of online activity that pushed some networks past the breaking point amid multiplying security threats and attacks. "Vulnerabilities in these technologies present existential threats to our economy and sovereign security," Hathaway wrote.

Her assertions made me think about how some of us in the information security community have been saying for decades that cybersecurity is a marathon and not a sprint, and, more recently, how the pandemic could be a forcing factor for security professionals to take a longer-term approach to institutionalizing core security principles. More importantly, perhaps it could also be a catalyst to creating a security vision that tackles not only cyberthreat risk management but also everything from workforce development to succession planning to legacy technology life cycle management.

I'm certainly not the first to say it, but security professionals as a rule do not do well at strategic planning. That's a bitter acknowledgement from someone who has spent his entire adult life in the public and private information security business. Part of the reason is that we live in a very tactical world where daily threat and vulnerability firefighting is the norm, which often distracts from the ability to think strategically.

It doesn't excuse our inability to conduct and execute on long-range planning, but everyone who has held the title of chief information security officer understands how easy it is to get caught up in the daily tsunami of security threats and vulnerabilities, or to fall into the trap of planning around existing technology — when we can be 100 percent assured that in 18 to 24 months new technology will exist that we may not be able to imagine today.

It's not that long-range planning is unheard of in the public-sector technology environment. I was recently talking with retired Air Force Lt. Gen. Harry Raduege about his time as director of the Defense Information Systems Agency (DISA). He realized early on that DISA needed to become more customer-focused in delivering services across the Department of Defense, where its customers included not only combatant-theater commanders, military service secretaries and other defense agency directors but also the White House. The solution was a 500-day action plan that identified long-term strategic goals while at the same time addressed ongoing tactical challenges both in the United States and in combatant theaters around the globe.

There is a similar lesson to be learned in the extended pandemic world we live in today. According to a recent survey of more than 300 state, local and federal government IT professionals, conducted by Insight Enterprises and focusing the pandemic's impact on organizational readiness, a majority of public-sector organizations experienced significant downtime in this spring's work-from-home transition. The report highlights how IT priorities are shifting, saying organizations "are placing more emphasis on automation, remote IT management, and employee IT adoption and engagement."

The report also urges public-sector organizations to re-evaluate "once-temporary IT solutions to shore up vulnerabilities," and we're seeing some hopeful signs that top public leaders are becoming more aware of that need. In Colorado, for example, Debbi Blyth, the state's chief information security officer, told me that "executive leadership specifically engaged our security team to ensure security was included in new systems being built or implemented to support the pandemic response" and to "ensure temporary measures could be secured for the long term."

The clear evidence is that work from home has become more accepted by IT leaders and that it will be a growing expectation by employees. Securing home networks is a new-normal challenge, and the need for government employees to access and process sensitive citizen data in a secure way will tax people and budgets in resource-constrained government organizations.

But protecting government assets and citizen data is more important than ever, and now is the time for long-term security strategies. That will take real leadership exercising real vision, and it will take something along the lines of a 1,000-day strategic horizon.


Governing's opinion columns reflect the views of their authors and not necessarily those of Governing's editors or management.

Mark Weatherford, Governing's cybersecurity columnist, is the chief strategy officer for the National Cybersecurity Center.
Special Projects