by Calvin Simmons, CISO
ORLANDO, FL (January 13, 2021) – The recent massive cybersecurity attack on the U.S. government underscores what our industry has been saying, or more accurately- shouting, for years: security is paramount for public sector IT. It turns out the breach of federal agencies’ systems reported in mid-December involved hackers taking advantage of a vulnerability in software from a third-party vendor. Given the most sophisticated and secure technology systems in the world were compromised, what can public sector bodies across the U.S. do to keep their systems secure – especially at a time when budgets are tight?
I joined Civix, a leading public sector software and service provider, in March as part of a corporate culture shift and rebrand (before then, Civix was three distinct companies: GCR, PCC, and MB3). Around that same time, the company brought on a new president with a forward-looking vision and a new VP of DevOps hyper-focused on modernizing GovTech. All this presented an opportunity rarely afforded to InfoSec professionals – an opportunity to build a program from scratch.
Previously, I was the enterprise security architect for one of the largest private healthcare systems in the United States that managed 45 hospitals and 130,000 workforce members. Changing course there could be likened to steering the Titanic. At Civix, we could be nimble, and we were expected to be fast – in part, to prepare for the quickly approaching 2020 General Election.
While most organizations aren’t able to start fresh as we did, there are still plenty of lessons learned along the way that can be adopted by any InfoSec team:
1. Security Must Be Ingrained in the Culture
As a father of six, I know how important it is to have everyone on the same page. Any parent can relate to the struggle of getting kids in the car to arrive at a destination on time. It helps a lot when everyone can get ready and buckled up on their own. It’s much the same with security. Everyone has a role to play, from the average user logging into their email to the developer coding an application. With highly-sophisticated techniques, malicious actors can dupe users to click a legitimate-looking link that allows them to slowly and methodically exploit an entire network. All the security tools in the world can’t help if users aren’t well-trained and aware. That’s why building security into a corporate culture and having everyone’s buy-in is critical. Effective security is a symphony of people and processes.
2. Set it in Stone
A first step is developing security policies that are endorsed by the organization’s leadership. It should establish goals and provide mechanisms that identify gaps, providing a clear roadmap for your efforts. At Civix, we began by creating a charter document and establishing detailed policies aligned with the NIST Common Security Framework. Though this is a tedious process, it pays dividends when considering the costs of a cybersecurity attack. It’s also worth noting that an effective security program is always maturing, so the work is never complete. The policies and playbooks should be revisited regularly to confirm all efforts are on track and current.
3. Honesty is the Best Policy
Becoming totally secure requires an honest assessment of your organization’s IT systems and potential vulnerabilities. It also means appreciating that you don’t know what you don’t know. That is why common frameworks, testing, audits, and third-party certifications are so important. If you haven’t undergone an independent, outside assessment and audit, then chances are you really don’t know yourself very well. At Civix, we rely on the NIST cybersecurity framework and build on a platform that is SOC2 and FedRAMP certified. Our team also incorporates independent penetration testing early in our development process in order to catch potential issues before they become real problems.
As we saw in the recent attacks on federal agencies, public sector organizations must ensure the security of third-party software, too. In my previous role in healthcare, I was the client, and I was always guided by a signature line of President Ronald Reagan: “trust but verify.” Vendors, eager to win business, should be able to provide evidence to back security claims, and clients should demand it. Another surefire way to build trust is for vendors to demonstrate their reliance on a highly defined formal security framework, which will show where they are and where they need to improve.
4. Don’t Eat the Elephant
Every organization wants a maturity score of five immediately, but it takes time to get there. Rather than try to become an all-star at every position at once, it’s much more effective to identify priorities through a self-assessment and focus on those areas where you can make the most progress. This further relieves the anxiety of the ‘unknown’ and builds confidence by knowing where your strengths and weaknesses are.
5. Prepare for the Worst
You should expect bad things to happen. But bad things become worse when you’re not prepared. For the 2020 Elections season Civix moved all Elections Management systems into our Security 360 environment hosted in AWS GovCloud.
We are especially proud of Civix’s Security 360 degree approach to a mature security posture for cloud applications. This is achieved by building an automated provisioning environment that takes human error out of the equation. Civix has invested heavily in policy based automated deployments based on best practice security principles. This is complemented by full audit capability and 24/7/365 continuous monitoring of event data from systems, environments and best of breed security tools such as CloudFlare, CrowdStrike, Optiv, Qualys and MimeCast.
Even with a highly secure system, though, it is necessary to have a robust response capability. In any kind of worst-case scenario preparation, a methodical approach is essential. One of our key learnings in building the security playbook for Civix was that you have to understand what you’re dealing with before you take any action or you’re just wasting precious time. When we’ve become aware of a potential issue, we’ve been able to respond quickly and capably because we have an incident response plan that prioritizes and orders actions, along with experienced GovTech Incident Management professionals capable of implementing them.
6. Trusted Partners Make Life Easier
As we developed our security playbook, we moved our technology platform to Amazon Web Services (AWS) GovCloud (US). This Amazon distributed cloud infrastructure is purpose built ground up for SOC 2 and FedRAMP High compliance. With platforms hosted in AWS GovCloud, Civix provides clients the peace of mind with a hosting environment that meets the most stringent U.S. government security and compliance requirements.
Through the 2020 election season, our Security 360 implementation in AWS GovCloud proved to be an outstanding success story with not a single security incident and zero interruption of elections management systems or election night reporting. Moving forward, we’re provisioning all new products into our AWS GovCloud environments and encouraging our clients to migrate existing workloads to this world class hosting environment.
Calvin Simmons is the Chief Information Security Officer for Civix. Calvin is a Certified Information Systems Security Professional (CISSP) and has a Master of Science in Cybersecurity with over twenty years of IT and Security experience. He presents regularly at InfoSec conferences and loves to travel. At home, he is a father of six and enjoys finding opportunities for his family to serve their community together.