Cloud cybersecurity a key focus of federal IGs in 2015
Inspectors general play a powerful role in ensuring the security and compliance of agencies throughout the federal government. Their audits are frequently the best way of identifying weaknesses in departments' infrastructure or policies before they can lead to data breaches or other security incidents.
Michael Horowitz recently began his two-year term as chair of the Council of Inspectors General. Speaking to Federal News Radio, Horowitz detailed his main priorities for his tenure. Key among these was a focus on cloud integration and how this trend can present cybersecurity risks for federal agencies.
The cloud and cybersecurity
The news source noted that there are 72 inspectors general in the federal government. The Council of Inspectors General helps to determine areas of focus for this community, as well as strategies for achieving their goals.
Horowitz told Federal News Radio that there are a number of leading concerns among federal IGs, including internal investigations and oversight. However, the process of cloud integration may be the single most important issue for IGs to devote themselves to in the coming months.
"One of the things the CIGIE (Council of Inspectors General on Integrity and Efficiency) coordinated and organized was a review among several IGs on the government's effort at cloud computing within their agency, obviously an issue that almost every single federal agency is dealing with," said Horowitz, the news source reported.
Horowitz went on to explain that IG investigations in this effort will likely be modeled on previous government-wide audits. He noted that CIGIE conducted a review of improper payments among federal agencies – a problem that numerous departments were grappling with.
"So those are the kinds of things that cross-cut throughout the community that we need to understand what each other are doing – make sure that we're all doing the same thing to the extent that you can make sure that it's apples-to-apples," Horowitz asserted, the news source reported.
Speaking to the news source, Brian Miller, the former chair of the CIG, noted that one of the biggest challenges that the organization faces is the difficulty of securing needed information from agencies. Whether due to the sheer size of their bureaucracies, complex internal arrangements or poor communication, many agencies fail to deliver essential data to IGs. This can stymie efforts to ensure agencies are complying with relevant regulatory standards, be they cybersecurity-related or otherwise.
Miller went on to explain that third-party firms can often prove invaluable in these situations.
"We had a situation where we had a very important letter that was given to us from a third party, and it belonged to GSA clearly in their records and they were not producing it. But we had it. And they were saying 'We gave you all the documents,' and in fact they hadn't," said Miller, the source reported.
This points to a frequently underappreciated aspect of cybersecurity in general and cloud integration in particular. No organization can protect itself and its assets without a clear understanding of where those assets reside. Without understanding the complicated inner-workings of an agency's infrastructure, there's no way to plug up potential security gaps or correct other vulnerabilities.
A third-party cybersecurity consulting firm, however, will have the experience and expertise needed to catalog and comprehend an agency's operations and resources. The consulting company can then offer guidance and advice to improve cybersecurity throughout the organization. This is particularly important in light of the growing influence of cloud computing, as the shift to hosted services can significantly complicate an already complex agency's infrastructure.