'Change is hard': 4 takeaways from the CA Technologies Government Summit

This week, CA Technologies hosted a government summit in Washington, focused on securing and modernizing the business of government. The software company's conference highlighted the similarities between IT challenges in both the public and private sector.

Security remains a leading concern and across sectors organizations are struggling to keep up with the threat landscape.

To better secure systems, agencies have to modernize, according to panelists, but to guarantee speed and efficiency leaders have to adapt to more agile practices.

From struggling with IT efficiency to protecting personal information, here are some of the key takeaways from the summit.

1. Protecting personally identifiable information

The current threat landscape is rapidly evolving, but the focus in both the public and private sectors should remain on protecting data.

"Data is the primary thing you're trying to protect," especially personally identifiable information, said Nitin Naik, IRS IT technical director for strategic planning. Users have to provide sensitive information to verify their identities, but with the constant threat of data breaches, much of those personal details remain at risk.

When corporations want to make sure they are engaging with the intended user, and not a malicious actor, they choose referential data that is unique to the user, Naik said. But, with the widespread adoption of social media, information that is required to identify a user is much easier to access as it is often freely publicized.

A security solution, however, may lie in phones, Naik said. Smartphones can act as a container that allows for identity verification.

2. Technology rapidly changes

One of the main differences in government IT stems from budget allocations. Year over year, agencies don't necessarily know what funds the federal government will allocate, though they can be sure there will be an intense focus on cyber, according to Bill Zielinski, director of the Office of Strategic Programs for the GSA.

Agencies have to remain cost-efficient as money is not necessarily flowing into departments. Because of that, agencies are sometimes hesitant to modernize and innovate with technology.

"Change is hard," said Tim Hoescht, chief technology officer of Accenture Federal Service."The new technologies are changing more rapidly than we can keep our eyes on."

To keep up, government needs to increase its forward-looking investments, not just relying on "yesterday's tech" to solve problems, Zielinski said. Agencies "need to not react after the need arises."

A solution may come from a cultural change in government, with more leaders adopting agile methods to boost development practices, allowing for innovation in a continuous fashion, according to Hoescht. Then, to modernize, agencies can take on projects bit by bit rather than relying on massive overnight changes.

3. Mitigating risk in cybersecurity

Many experts have called for the government to cooperate with private industry, creating a two-way security dialogue and facilitating information sharing that could work to better defend agencies and businesses alike.

But government agencies are struggling to defend themselves, according to Dan Doney, CEO of Securrency, Inc. In a recent report Doney cited, U.S. federal, state and local government agencies were ranked last for their ability to protect both their organization and data when compared to the private sector.

The sectors that did best are those that properly understand risk, Doney said. To truly improve security, "we need more leadership and less management."

One of the primary security concerns experts at the panel had involved the "human factor" and insider threats. In either the government or commercial sector, insider threats start with a normal account that has been compromised, according to Ken Ammon, senior advisor for CA Privileged Access Management. "It looks like a normal user doing things that are very abnormal."

To help mitigate the risk, organizations need systems in place that can contain, control and monitor for abnormal behavior.

But in order to create strong security, organizations have to be willing to disrupt things internally, Ammon said. "There's risk to change. And without the appropriate air cover, people will run from risk."

4. The threat landscape is complicated

The threat landscape is rapidly evolving, and even the most advanced organizations can struggle to keep up.

"Life is now at the speed of software," said Jeff Voas, computer scientist for the National Institute of Standards and Technology. "Security is really at the speed of the threat space and how fast these threats come along."

No longer are systems a one-time build. Data sits on systems with multiple layers. But every one of those layers is potentially hackable.

One of the reasons the IRS has not yet gone to the cloud is because it is still concerned with the risk, Naik said. "We're looking for data encryption at rest and data encryption in motion."

To keep up with constant threats, security professionals are more and more relying on data, but processing that data can prove challenging.

"Attacks can come from anywhere," Naik said. "You're looking for anomalies."

With "known knowns," a potential risk is understood so it is easier to mitigate, according to Naik. Security complexities, however, arise from the "known unknowns," which require more data.

To stop fraud, security professionals have to track where the data comes from, Naik said. "Can I start making those unknowns known, then add more data? Then it becomes, 'What is the risk?' What is the mitigation?'"