Agency CIOs are consumed with compliance and check boxes rather than focused on cybersecurity and risk management, said a Aug. 23 panel of cybersecurity experts.

"Compliance is my worst nightmare," said David Stender, associate chief information officer at the Internal Revenue Service. "If you're really trying to be compliant you're spending way too much money to achieve that," he added, while speaking at a MeriTalk event in Washington, D.C.

Real risk management means being prepared for an incident, as well as the impact of that incident on a system, explained Peter Mell, a senior computer scientist at the National Institute of Standards and Technology. "As far as I can tell, I don't know of anybody that's doing risk management," said Mell.

"The idea that we can create policies and comply with them, and achieve secured systems that stay secured is a complete fallacy," said Mell. "Yet that is the daydream of the nightmare that we are living in."

But Tony Sager, chief operations officer of the information assurance directorate at the National Security Agency, said compliance is, in fact, important. The problem is, it's misaligned with technology, he said. The goal should be to demonstrate compliance from what's already being generated off of the IT and current standards don't make that easy.

Joe Jarzombek, director for software assurance in the national cybersecurity division of the Homeland Security Department, helps maintain the National Vulnerability Database. The database is a resource for proactive, continuous monitoring--an alternative to the reactive patching at the core of many agencies' cybersecurity strategies.

"We can tell you where, in advance, you would be exploited. So why is it that we're not doing something about it?" asked Jarzombek. "Rather than simply waiting for people to tell you that you must do things through changes in policy and compliance management, we can actually take some preventative actions."

Leveraging reporting and automation will be key to creating secure networks going forward, said Sager. "This is a problem that we're not going to train our way to solve," he said.

"I hire and develop [cybersecurity] wizards for a living. There are never going to be enough of them," said Sager. "We've got to automate more of this stuff so we can put the precious few humans we have on our really hard problems, not patching and configuration."

Related Articles:
Continuous monitoring at State Dept. has weaknesses, says GAO
DIB cybersecurity pilot has stopped 'hundreds' of intrusions, says Lynn 
Counterfeit IT might face new regulatory actions