by Retired Air Force Lt. Gen. William Bender

Federal Chief Information Security Officers (CISOs) operate in an increasingly complex threat landscape. To be effective, they cannot rely on a single cybersecurity approach.

To strengthen cyber resilience, CISOs require a comprehensive approach to agency cybersecurity that starts with the implementation of an “industry-standard” framework to ensure comprehensive data protection measures. A great example is The NIST Cybersecurity Framework [CSF] 2.0 promulgated by the National Institute of Standards and Technology. In addition, CISOs should leverage ISO/IEC 27001:2022 data management principles for their most sensitive information.

Beyond these recommendations, CISOs need to implement a Zero Trust (ZT) Security Model and be proactive in enhancing their organization’s security posture by strictly adhering to Secure-by-Design Principles in software development efforts.

ZT Security Model

Federal agencies are required to adopt ZT security models. The overarching principal operative in ZT models is “never trust, always verify.” The model requires continuous authentication of users and restricted access based on well-understood, need-to-know principles.

It sounds easy enough, but developing achievable, implementable measures is extremely difficult in today’s federal environment. Simply stated, legacy infrastructure and its underlying security architecture make ZT almost impossible. It requires baby steps in what could aptly be described as an evolutionary journey, where incremental versus wholesale change is the norm.

As an initial first step, every CISO should implement phishing-resistant multifactor authentication. It involves removing easily stolen passwords from the authentication process and replacing them with passkeys, security keys, and/or biometric authentication measures.

Secure-by-Design Principles

Another step CISOs can and should take to strengthen cyber resilience is to adopt Secure-by-Design software development principles. Secure-by-Design involves embedding security measures early in the software development lifecycle to help identify and fix any vulnerabilities before deployment. In this way, software products are thought to be inherently secure before they’re released.

Some key security considerations include:

• Adhere to secure coding standards and practices throughout development to minimize vulnerabilities.
• Ensure developers incorporate and integrate security requirements during the initial stages of development (“baked in” versus “bolted on”). Do not wait until after code deployment.
• Employ continuous, automated development efforts to the extent practicable. Use threat modeling and risk assessment to identify potential security threats and implement real-time measures to mitigate them. Remember, continuous monitoring ensures identified vulnerabilities are managed promptly, minimizing exposure and damage.
• Implement a multi-layer, defense-in-depth approach when determining security controls. Incorporate default settings that implement ZT methods that trust nothing and verify everything.
• Require ongoing and continuous surveillance that ensures monitoring of all log activities as necessary to detect and respond to security incidents and vulnerabilities.
• Use encryption and other data protection measures to safeguard sensitive information, whether in data at rest or in transit.

Other Best Practices

There are numerous other steps CISOs can and should take to promote cyber resilience. For example, take a proactive approach to threat intelligence, wherein the collection and analysis of data on emerging threats uses AI and automation to anticipate, find, and respond to cybersecurity attacks in real time. Consider implementing network applications capable of monitoring user and entity behavior for anomalies indicative of suspicious activity. Have adaptable cyber incident response plans in place to ensure rapid, effective responses to security incidents when they inevitably do occur.

As the resident security experts, CISOs must continuously update their knowledge of the latest threats and vulnerabilities. At the same time, cybersecurity takes a team, necessitating a strong focus on recruiting, retaining, and developing top cybersecurity talent. Beyond the team, CISOs must promote a culture of security awareness throughout their organization through regular training sessions. Personnel can be invaluable in recognizing and relaying cyber threats.

CISOs must understand the overarching business goals of their organization. Otherwise, business objectives and security initiatives will not align. It’s vital that security measures support and protect the agency’s most critical assets without unnecessarily impeding operations and mission accomplishment. CISOs must effectively explain the value of the security initiatives they are undertaking to non-technical business stakeholders using business terms. Demonstrate how enhanced security contributes to better outcomes – and do so on an ongoing basis. Most importantly, establish strong and trusted relationships with executives and other key decision-makers and influencers across the organization. The importance of management support cannot be overstated.

Conclusion

As a practical matter, it is impossible to thwart every attack or intrusion. Yet, by adopting these best practices and strategies, federal CISOs can effectively strengthen cyber resilience and safeguard mission-critical systems against evolving threats. Even still, in today’s data-centric world, no CISOs should operate without data recovery and backup strategies that ensure a swift recovery to a trusted state following an attack.

About the Author

Lt. Gen. (Ret.) Bender is a member of Electrosoft’s Advisory Board, a thought leader in cybersecurity strategy, and a former CIO of the U.S. Air Force. Drawing on decades of experience shaping Department of Defense cybersecurity policy and modernization efforts, he possesses rare insights on best practices for strengthening cyber resilience that span the defense and civilian sectors. His practical recommendations give CISOs strategies to implement today to safeguard mission-critical systems.