The Driver For IT Modernization: Cybersecurity Risk
The Driver For IT Modernization: Cybersecurity Risk
The Driver For IT Modernization: Cybersecurity Risk
Hardware and software developers are building on decades of These systems were not designed to withstand the threats of today’s
experience to support new capabilities, provide smart infrastructures online adversaries. During their supported life, vendors routinely issued
and leverage the Internet of Things for the secure creation, collection, security patches and updates to protect them against evolving threats.
delivery and use of data on large scales and at high speeds. But once unsupported, they lose this protection and obsolete platforms
are unable to support current cybersecurity needs.
But both the public and private sectors have invested billions of dollars
over the past 40 years in platforms to support services and processes Agencies that continue to operate this equipment not only are missing
that have become mission-critical. While new features and equipment out on the efficiency and economy of up-to-date technology – they are
are being added, the old ones do not disappear. While e-mail and web expending resources to maintain weaknesses in their networks that are
applications are no longer considered cutting edge, they are relied on vulnerable to exploit.
every day. The availability of these applications and the networks that
support them remain critical to the way we conduct business today. Cybersecurity Is Not Optional
The legacy infrastructure supporting these functions has often been While effective cybersecurity is a top priority for all organizations,
resilient. And to its credit, it often demands little attention. maintaining this security is more than a matter of self-interest.
Cybersecurity is a requirement under a number of laws and regulations
“While many of these devices are still operating functionally,” Grieco for government, contractors and other organizations that use and store
said, “people tend to take them for granted, even as our needs and sensitive government information.
dependence on them increases, and there is a level of complacency.”
The foundation for federal cybersecurity is FISMA — originally the
But with this complacency comes risk. As equipment becomes outdated Federal Information Security Management Act, now the Federal
and reaches its end of supported life, it becomes less efficient, less Information Security Modernization Act. FISMA requires executive
productive and less secure. Outdated infrastructure does not support branch agencies to maintain cybersecurity programs and routinely
modern applications and innovation, and it does not have the resiliency assess and certify the security status of all information systems.
needed to survive today’s threat environment. Modern cybersecurity is Underlying this law is a library of guidelines, standards and best
about risk management, which requires eliminating and mitigating risks practices created by the National Institute of Standards and Technology
where possible, and knowingly accepting those that remain. But you (NIST) in its 800 series of Special Publications. In early 2016, the
can’t manage risks that you don’t see. White House released the Cybersecurity National Action Plan, which
recognizes cybersecurity as “one of the most important challenges we
“Public Sector Organizations don’t realize the risk face as a nation.” It establishes a Commission on Enhancing National
associated with leaving legacy equipment in place. Cybersecurity and calls for more than $19 billion for cybersecurity in
the president’s budget for fiscal year 2017. NIST released a Framework
Being up-to-date helps you to put into place the risk
for Improving Critical Infrastructure Cybersecurity in 2014, a set of
mitigation you need,” Grieco said. voluntary guidelines and best practices that has been widely adopted
by both industry and government.
Many government agencies are operating mission-critical systems with
equipment that is approaching or has passed its end of supported Yet in spite of these and many more government and industry
life. A 2012 survey by the National Association of State Workforce regulations, many agencies continue to take unnecessary risks by
Agencies found that most IT systems supporting unemployment maintaining unsupported and unsecured platforms.
insurance programs are old and based on outmoded programming
languages, many dating as far back as the 1970s or 1980s. An analysis
of 200 IT systems for the state of Colorado found 77 were more than
15 years old, and a 2014 study of systems by the Texas Department of
Information Resources found that 61 percent were classified as legacy
— that is, obsolete or inefficient.
4 INDUSTRY PERSPECTIVE
The Security-Driven IT Modernization
Reframing the ‘If it Ain’t Broke … ’ Mindset Given the risks of operating an aging, end-of-life infrastructure and the
advantages of new trustworthy platforms that have security designed
Legacy systems often represent significant capital expenditures that in, there is no reason to risk critical agency data on legacy equipment.
continue to provide a return by supporting mission-critical operations
over the years. Appropriations for timely upgrades can be difficult to Security is no longer a secondary requirement that can be added as
get when budgets are tight, and there often is a reluctance to tamper an afterthought to information systems. It must be an integral part
with critical systems as long as they are working. of the infrastructure, and take advantage of the infrastructure to
understand security posture, monitor activity, evaluate threats and
Although tech refreshes usually are done on nominal cycles of three to respond at machine speeds. Because the network itself is critical to an
five years, in the real world of government IT the process is not always effective cybersecurity posture, a security-driven refresh of the network
that straightforward. Not every process or service requires the latest can provide the confidentiality, integrity and availability needed for
and best equipment. And when a key measure of performance is up- cybersecurity as well as the resilience, functionality and economy
time and availability of critical applications, updates to these systems needed for good business practices.
can have a low priority. “If it’s working, don’t touch it,” is the attitude,
Grieco said. Cisco has been innovating networking products for more than 30
years and has a large installed base in networks around the globe.
Some systems are installed in unique environments that are remote As threats to networks have evolved, Cisco responded with a Secure
and intended for long lifetimes, such as industrial control systems in Development Lifecycle to ensure that security is built in to the
critical infrastructure installations and military defense systems. These underlying architecture of solutions and embedded throughout the
typically have a longer operational life than more conventional systems. enterprise. Ensuring this security is a continuous process. As new
products are developed and existing products are updated, security is
All of these factors contribute to an accumulation of legacy systems embedded into every platform.
over time. But operating these systems beyond the end of their
supported life inevitably provides diminishing returns to the enterprise. “The security landscape is continually evolving. Ten years ago, we didn’t
As the effort to keep them running becomes greater, their vulnerability know what things we would need to protect against today,” Grieco said.
to attacks also grows. The organization misses out on the efficiency and
productivity provided by up-to-date equipment, which is also easier To keep all of its platforms secure, Cisco keeps them up-to-date as part
to maintain and provides increased reliability with fewer financial and of its Secure Development Lifecycle program.
human resources.
“You must know what you’ve got in your network,” Grieco said. “That’s Cybersecurity no longer is an issue restricted to the IT department. It
the first step.” has moved into the executive suite and the board room as a necessary
business function. Companies can suffer serious financial loss and
Then build on that awareness to make risk-based decisions about what damage to brand value in the wake of data breaches. Government
to do and when to do it. agencies risk the loss of public confidence when personal information
of employees and citizens is exposed. In both the public and private
Six important first steps include: sectors, breaches can be career-ending events for executives.
• Inventory the network. Networks are organic things that grow and But adequate budgets for IT security, maintenance and refresh cannot
evolve over time. Unknown and unauthorized devices — “Shadow be assumed. Chief executives — both public and private — have a
IT”— can creep into the infrastructure and legacy equipment can be duty to ensure that the funds they control are spent responsibly. IT
forgotten. Discovery is essential to making decisions. and security experts have a responsibility to make the case for these
expenditures.
• Perform a risk-based vulnerability assessment. It is not enough
to know the equipment and vulnerabilities. Sensitive information Investing in a modern, digital-ready network provides solid returns that
and critical resources can represent higher risks than secondary make good business sense. The security designed into Cisco platforms
public-facing assets. Identify and prioritize them. provides cost-effective security, resilience and trustworthiness that
meets cybersecurity requirements. The platforms also support modern
• Patch and upgrade. This is a basic part of good cybersecurity applications and processes that help organizations take full advantage
hygiene. of mobile computing, the Internet of Things, Big Data, cloud computing
and other emerging technologies that are defining the modern
• Harden the infrastructure with best practices. Replace default
workplace, marketplace and government.
settings to ensure that services and access are appropriately limited,
and then monitor configurations. Organizations often put themselves at risk while struggling to do more
with less. Enabling a digital transformation lets organizations do more,
• Identify equipment that is approaching its end of supported life.
and do it securely and economically.
Products that are not being patched and updated by their vendors
create vulnerabilities in the network.
• Create a risk-based funding plan for the refresh. Make sure that
those things that must be done will be done. Then move on.
6 INDUSTRY PERSPECTIVE
How Cisco Can Help
Cisco can partner with customers to help them understand the current
status of their network, decide where they need to be and chart a path
to get there. Consultants can help not only in laying out a roadmap
for a security-driven IT modernization, but in taking full advantage
of modern, trustworthy platforms to achieve the desired business
outcome.
Cisco consultants can also help customers meet and stay in compliance
with applicable regulatory requirements for cybersecurity.
“It’s all about driving the risk down to enable future growth and
innovation.” Grieco said.
There is no need to take risks with your agency’s data and reputation.
Don’t Risk a Security Breach. Don’t Risk IT. GovLoop’s mission is to “connect government to improve government.”
We aim to inspire public-sector professionals by serving as the
Are you entrusting your organization’s crucial data to aging, end-of-life knowledge network for government. GovLoop connects more than
infrastructure? Don’t Risk IT! Cisco security-driven network offerings are 250,000 members, fostering cross-government collaboration, solving
built from concept to completion to include built-in security to protect common problems and advancing government careers. GovLoop
sensitive data. Learn more at www.cisco.com/go/dontriskit. is headquartered in Washington, D.C., with a team of dedicated
professionals who share a commitment to connect and improve
government.
www.govloop.com
@GovLoop
www.govloop.com
@GovLoop