Don Chaney, vice president of federal sales at Forcepoint, published his first feature as a member of Executive Mosaic’s GovCon Expert program on Friday to highlight the significant challenges that the federal government is facing as its different agencies all adapt to the latest cybersecurity standards and find innovative solutions for those problems.
In addition, GovCon Expert Don Chaney also discussed the lack of leaders in the cybersecurity sector and its impact as the U.S. government works to establish a platform-centric approach to address these problems along with industry consolidation challenges as well.
You can read Don Chaney’s first GovCon Expert article below:
The Biggest Problem with Government Cybersecurity, and How You Can Solve It
By GovCon Expert Don Chaney
Imagine if someone told you that you require 50 or more insurance companies to protect your business. You need one company for each discrete aspect of what you want to protect against, plus some companies with overlapping coverage, then some more companies to cover emerging risks that might soon go away, plus a few extra companies for risks you’ve never even heard of.
Oh, and by the way, even with all those companies, you’ll still have gaps in your coverage and reporting. Integration of the overlapping plans is entirely up to you and your small, hardworking team. Finally, the lines of business within your org feel that your interference, costs, and involvement only slow them down and impede their progress.
Anyone would think that’s crazy. But that’s exactly what government and private sector organizations face with cybersecurity. Many agencies work with literally dozens of vendors that offer one aspect of cybersecurity or another.
In 2021, Panaseer surveyed over 1,200 security decision-makers in the US and UK and determined that the average organization has 76 security tools in its environment. They are inexpertly cobbling together piecemeal products and services, constantly budgeting for new solutions, and continually training their cybersecurity teams on new technologies.
Effectively, they are their own integrators of technology in a failing effort to merely hope that they’re fully protecting their organizations against cyberattacks.
The problem lies within the highly-fragmented cybersecurity industry itself. But there is a solution. Your agency can address cybersecurity more effectively by taking a holistic, platform-centric, Zero Trust-informed approach to safeguarding systems, data, and users.
Lack of Leaders, Plethora of Problems
The Cyber Research Databank lists more than 3,500 U.S. cybersecurity vendors. Each year, Cybercrime Magazine ranks 150 cybersecurity vendors “to watch.” Built In advises there are 47 cybersecurity vendors you “need to know.” And in the government space, Public Spend Forum says it follows 22,000 companies involved in cybersecurity.
The reasons for this confusing array of providers are multifaceted. Cybersecurity must extend across cloud, servers, data storage, networking, and applications, plus a multitude of use cases. New technologies and cyber threats constantly emerge, necessitating new security responses.
Buyers are often times enticed by the latest and greatest technologies and due to the talent shortage, offered ever greater jobs with the latest tech on their resumes. Outcomes tend to get lost in the process. Venture capitalists respond by funding more startups.
Rarely do we discuss the actual business need for cybersecurity. Unlike traditional IT, all of these “protection” capabilities inject varying levels of friction and do not facilitate either capability or velocity to the business.
Hence, no single vendor or cadre of vendors has emerged as cybersecurity pacesetters. In other IT segments, one or two vendors dominate the field. For instance, most agencies rely on a small number of primary cloud providers, maybe one or two primary server brands, a few network hardware providers, and so on.
Not so for cybersecurity. I challenge you to name the top three security vendors in the space. Now try the same exercise for networking, storage, or servers. Which list is easier to provide?
That lack of known industry leaders in cybersecurity creates headaches for agencies. You need to spend time, effort, and budget identifying cybersecurity vendors, understanding the multiple solutions, attracting talent that can manage those solutions, and so on. Again, you ultimately become your own integrator.
Meanwhile, you feel like you’re always one step behind malicious cyber actors – and barely keeping pace at that. Your cyber adversaries get as many tries as they want to break through your defenses, and they only need to succeed once to wreak havoc on your operations or steal your critical intellectual property.
Industry Consolidation: Less Is More
In short, the cybersecurity industry isn’t functioning efficiently for the organizations it serves. This is especially true for many government agencies, especially the smaller federal, state, local and tribal agencies that will always be constrained by staffing and budget realities. A couple of things must happen:
First, a small set of vendors need to emerge as the industry frontrunners. These won’t necessarily be IT industry giants. Some large IT providers do sell cyber products and services alongside their primary offerings. But they aren’t 100% focused on solving cybersecurity end-to-end, and they are unlikely to deliver all-encompassing offerings focusing on their niche or areas of expertise.
Instead, three-to-five vendors must differentiate themselves as pure-play cybersecurity pacesetters. These leaders will also need to demonstrate the knowledge and focus to serve the government market. Many desire to master the federal space, but either doesn’t understand what it takes to do so or will fail to invest and adapt to the unique market requirements.
This means those vendors need to deliver a cybersecurity platform built around a cohesive philosophy, complemented by hardware, software, services, and partnerships to address cybersecurity in a comprehensive way – all while conforming to the manner in which government customers conduct their purchases.
I believed this would have happened years ago. While it hasn’t happened yet, I still believe this shift will happen over the next few years. For one, a cautious economic environment will partially stem the venture capital fueling cyber startups, many of which will either fail or be acquired by larger competitors.
We are already seeing a shift in the market from market share to profitability goals. As the industry consolidates, several players will emerge as visionary and strategic leaders.
A Platform-centric Approach
In the meantime, there are actions your agency can take now to conquer the cybersecurity conundrum.
First, start thinking about cybersecurity more holistically. Rather than focusing on the next new cybersecurity product, take a platform-centric approach. With a solid security foundation, you can build a cyber stack of complementary solutions, services, and capabilities that adapts to changing vulnerabilities and threats. Look to the vendors that focus on outcomes and provide more than one or two key capabilities. Look for an extensible architecture.
The result will be cybersecurity simplification, along with the cost efficiencies of not having to manage 50 cyber products from 50 vendors. You’ll save time and reduce the need to continually attract talent with a narrow set of knowledge across a wide set of skills.
A Zero Trust mindset can also help, but here is where I’ll caution you. The US government has many authorities alongside varied guidance on Zero Trust architecture. What do you follow, NIST 800-207, CISA’s Zero Trust Maturity model, GSA ACT-IAC, the US Navy Zero Trust model (or other service models), Gartner’s CARTA, or Forrester’s guidance?
There are more documents and concepts on Zero Trust than you can imagine. You don’t need all of the models. You only need one.
Zero Trust gives your agency a framework for a platform-centric approach to cybersecurity because it’s not a product – it’s an architecture and a way of thinking. If you view your cyber protections from the perspective of the five Zero Trust pillars (CISA model) – which are identity, devices, networks, applications, and data – you’ll have a template for holistic cybersecurity.
Rather than repeatedly buying product-specific approaches that only address one pillar at a time, you’ll build a more seamless platform-centric mindset that simultaneously extends across all the pillars.
Zero Trust also gives your agency an opportunity. The new government emphasis on Zero Trust – along with executive orders and federal guidance – has raised awareness of cybersecurity among agency decision-makers. It also provides IT departments context for rethinking their cybersecurity spending habits and modernizing their environments.
The government’s cybersecurity challenges won’t be solved overnight. But industry consolidation will begin to help. In the meantime, a platform-centric, Zero Trust-enabled approach will make your cybersecurity simpler and more effective.
About GovCon Expert Don Chaney
Don Chaney is the Vice President of Federal Sales at Forcepoint, where he is responsible for developing and implementing a comprehensive strategic plan to maximize the financial success and growth of Forcepoint’s Enterprise Security Software across the government.
Chaney served 23 years in the U.S. Navy retired Commander, qualified Surface Warfare Officer (SWO) and working in the SIGINT, Network, IT, CNO/IO Cyber arenas supporting the Navy, all facets of DoD and Intelligence Communities.