Federal Chief Information Security Officer (CISO) Chris DeRusha said late Thursday that new cybersecurity metrics are helping the Federal government to better measure its success in moving towards an improved risk posture.
At the Billington Cybersecurity Summit in Washington on Sept. 7, DeRusha explained that the Federal government relies on Federal Information Security Management Act (FISMA) metrics to measure its cybersecurity progress. However, it’s also turning to new metrics to get a more qualitative snapshot.
“We also added a bunch of metrics that are trying to get at more qualitative answers about real risk reduction,” DeRusha said. “So, we started asking questions that were less about like, ‘Have you deployed X number of agents?’ Right, we don’t need to do that. But we also were like, ‘Hey, do you have red teams? How’s that going?’”
“We’ve been trying to measure the things that are telling us the most about our current risk posture today and see how well are we implementing those programs,” he added.
The Federal CISO said that the Federal government is “serious” about these new metrics. He explained that with the previous metrics, he would only get an answer saying, “I’m 10 percent better than I was at something.”
However, he stressed that being 10 percent deployed on something does not give any indication of whether or not that agency is more secure.
“There’s only one thing you should be doing – you should also be figuring out where are you stopping adversaries and are those capabilities maturing,” DeRusha said. “Do you know why they are not maturing? If you don’t, you need to have some level of a regular process to tell you why they’re not maturing, so that you can [get to the] root cause and fix that.”
Additionally, DeRusha said that agencies now have a level of “telemetry” working for them that they did not have 10 years ago. Agencies are now “detecting more serious stuff and sophisticated adversaries,” he said, and the Cybersecurity and Infrastructure Security Agency (CISA) is helping them do that.
For instance, he said CISA knows “how many agencies that can tell you the number of devices that they have.” With improved metrics and telemetry, DeRusha said the Federal government is moving in a positive cybersecurity direction.
“It is really exciting because it’s moving in the direction where we can bring this risk down to a manageable level – and that’s what we need to do,” DeRusha said.