In episode 78 of The Cyber5, we are joined by our guest, Gaurang Shah, former senior lead technology manager at Booz Allen Hamilton.

We talk about the challenges of digital transformation and cybersecurity in the US federal government. We discuss solutions for bringing innovative technology and bespoke services into the federal space and how to shorten long procurement cycles. We also cover what the federal government can learn from the private sector, including how to shrink the ongoing cyber skills shortage.

Four Takeaways:

1. Federal CISOs and CIOs Think Cloud Migrations Will Not Bake in Security

Outside of the US national security, intelligence, and DOD sectors, many civilian agency CIOs and CISOs in the US federal sector have the following shortcomings with regard to cloud migration:

First, they think security will be baked in as part of cloud migrations to AWS, Azure, or GCP when that is not reality. Second, cloud implementation is for infrastructure-as-a-service but way behind in software-as-a-service and application security. Third, they are either not aware of their expanding attack surface with a lack of enterprise security culture or there is an inability to gain funding for their security initiatives. Last, they have trouble retaining talent from the private sector.

• 2) Build Versus Buy Debate in the US Civilian Agencies

Procurement in many of the civil agencies within the US federal government is based on the lowest cost acceptable and not necessarily on value delivered for efficiency. They also cannot hire and retain talent at costs compared to the private sector, so building technology is extremely challenging. In many civilian organizations, they aren’t doing threat intelligence and incident response at the scale and speed necessary.

• 3) Approaches for Overcoming Cyber Skills Shortage Gap

Understanding the federal government will lose on hiring top talent due to lowest cost acceptable restrictions in the procurement cycle, we recommend training IT, enterprise architects, database administrators, and system administration personnel who want to grow into security, particularly in automation.

• 4) Future of Outsourcing to Managed Services Experts and Codifying Appropriate Threat Models

Some civilian agencies will likely need to outsource portions of SOC operations to managed services companies over the coming years. Some agencies are out-sourcing Level 1 alerting, for example, while keeping the escalations Level 2-4 in house.

However, for the US federal government as a whole to be successful, there needs to be an agreed upon risk posture framework that many civilian agencies adhere to so that automation in detection and response can be achieved at the scale needed in the federal space.

Further, application and software security are way behind and much of the focus is on infrastructure security. Unfortunately, outsourcing is still reticent in the federal space because of supply chain concerns. However, the federal government may have no choice but to implement aspects of next-generation SOC through outsourcing to a higher degree of experts.