The second part of this series is about what’s driving the cybersecurity changes across government. (Part two in a three-part series.)
Throughout my career, I’ve seen a lot of change in the realm of cybersecurity. Whether in private- or public-sectors, from pre- to post-pandemic, I’ve witnessed the struggles of agencies coming to terms with digital transformation and cybersecurity.
What I’ve found is that federal agencies are expected to keep pace with their civilian counterparts while abiding by mandates to add an extra layer of security to digital operations. Factor in upheavals caused by the pandemic, and it's clear why the public sector has been feeling the immense pressure to quickly tighten its cybersecurity practices.
Prior to the pandemic, you came into the office, and your network access was granted simply because you were in the building. This all changed when agencies had to figure out how to work remotely with little to no planning. Agencies that were flexible during this period more quickly transitioned into what could be called the new normal.
I experienced what many others did during the pandemic: the challenge of maintaining work processes despite being in completely new territory. However, I’ve managed to find some silver-lining. I feel that one beneficial outcome of the pandemic is that agencies got further along in terms of their cybersecurity efforts than they ever would have without it. Application security (AppSec) became super important with people from all over the world connecting their government devices from their own networks.
Software Development Practices and Zero Trust Architecture
Even with all the changes to cybersecurity in recent years, including the emergence of Zero Trust Architecture (ZTA), it has become clear that federal agencies must do better at protecting the application layers of government networks. Software bills of materials (SBOMs) are a huge part of this. A decade ago, many agencies were writing most, or even all, of their own code. In the intervening period, the focus shifted to productivity, output and use of open-source code – and at times away from software security.
It’s great to want to make more efficient products and develop software in modern ways, but we need to ensure they’re also being made securely. SBOMs give agencies the ability to see what’s inside their systems, but figuring out the technical piece of the puzzle does not mark an end point. Agencies must be educated in effective ways of moving forward with security efforts, ensuring the right people are doing the right work to support these practices.
The federal government often focuses on the network, data, and identity pillars of zero trust. I’ve found that many agencies pay less attention to the application workload pillar, which is where Veracode comes in. Veracode aids public sector agencies by ensuring they focus on all pillars of ZTA.
Exacerbating these challenges are persistent staffing issues in the public sector. Part of the issue here is the often-lengthy process of getting hired by the government. Agencies have taken action to recruit more employees into the federal cyberspace by creating jobs directly tied to IT skills, promoting the benefits of federal work, and improving overall HR processes.
These initiatives will help, yet more must be done. It’s all of the pieces that aren’t technology related- people, procurement, systems—that impact technology in the government. To stay afloat, agencies must focus on agile procurement, executing smaller contracts that answer specific needs, to get technology into government faster.
Despite changes in the government's cyber landscape, I’m hopeful about the future. We must remember innovation is currently happening at the federal level to try and improve all aspects of agencies. It's great to see us all overcome the obstacles caused by the pandemic and continue working toward what’s most important: fulfilling our missions.
Look for more of this story in the next and final installment on Veracode's future providing a helping hand to the federal market! Missed part 1 of the series? Check it out here.