In light of an increasing number of data breaches within federal agencies, the defense industrial base, and operators of critical U.S. infrastructure, the federal government is making a concerted effort to improve and enforce cyber security standards across federal agencies and organizations that work with and support government operations.
Yet many organizations remain unsure of how to incorporate cyber solutions into their business, how much of their budget and where to invest, and what the impact on their business will be.
Andrea Schaumann, Director of Federal Partnerships and Programs at Fortress, shares three distinct and overlapping concerns addressing the vulnerabilities inherent in hardware and software acquisition and how organizations should consider and respond to those concerns.
Do you want to invest the time, effort, and money to upgrade them or acquire new assets? How do you evaluate the hardware and software components of your equipment to gain transparency into your supply chain and determine potential vulnerabilities? (This is where hardware and software bills of materials — HBOM and SBOM — come into play.)
What are the threats (e.g., corruption, data theft, malware, etc.) that your business is likely to face? And what are the controls that you need to adopt to secure your potential attack vectors against those threats?
You have to consider the interruptions acquisitions may cause when it comes to maintaining your organization’s daily operations and continuing to deliver value to your customers.
“The primary concern here is that over-hardening may interfere with delivery,” Schaumann said. “At what point have you created so many safeguards that you’ve actually created speedbumps to productivity? What’s a failsafe versus a redundancy?”
How do you keep revenue flowing and protect your reputation with your client base? How do you get organizational leadership to understand that cyber risk is not an afterthought, but a primary part of your overall enterprise risk analysis?
“If you’re not in compliance, that’s going to interfere with the ability to generate new or modify any existing government contracts,” Schaumann said.
Each of these concerns must be addressed at the C-suite level to ensure the solution fits the needs of your unique organization and business goals and that they are enforced and supported by leadership.
Schaumann offers the following advice for each area of concern.
“The business solutions are sometimes the most difficult to approach because you need to validate controls and have voluntary adoption of best practices, which is really about getting leadership buy-in,” said Schaumann. “A lot of that hinges on education so that they’re there to back up their team and they’re starting to ask for budget and additional support.”
If the key stakeholders don’t identify what a good cyber program looks like for their specific organizational goals and needs, then anything that can be acquired quickly and cheaply might look good just because it’s a solution. But it might not be the holistic solution that they need to protect their business.
Click here to listen to more of Andrea Schaumann on the Defense and Aerospace Report Cyber Podcast. The above is just some of her key takeaways.
Fortress Information Security secures critical infrastructure from cybersecurity risks with asset and vendor risk management solutions. Fortress is the only company that connects IT & OT assets and vendors with a holistic approach.
Fortress specializes in critical infrastructure-heavy sectors, like electric power utilities, oil and gas, government, industrial automation, healthcare, transportation, and more.
Schedule a demo to learn more about how Fortress works to identify and manage supply chain risks, continuously monitor, and share data.