It's essential to modernize the Defense Department's perimeter-based security models and compliance requirements that prevent DOD from transforming the way it achieves its objectives, information technology experts said in response to evolving cyber risks.
Peter T. Ranks, deputy chief information officer for Information Enterprise, discussed a range of IT issues yesterday at the Defense One Tech Summit via remote video. He was joined by Jeanette Manfra, the director of government security and compliance for Google Cloud. Manfra served in the Army as a communications specialist and a military intelligence officer and in high-level IT positions in DOD and the Department of Homeland Security.
Ranks said DOD has served as a model for other agencies during the COVID-19 pandemic as the department has increasingly realized the value of having infrastructure in place for workers to work remotely, particularly in cloud computing.
Working remotely involves an architecture that meets the need of users wherever they are so they have access to data, he said. But Ranks noted that it's important to have a zero-trust mentality when it comes to cloud computing, which means being aware of the possibility of getting hacked.
Manfra noted that two forces are tugging in different directions in digital communications: security compliance and mission outcomes, which involve speed, productivity and agility.
"Security compliance acts as blocker sometimes," she said, adding that security compliance often doesn't measure and detect what it's supposed to.
"You have to have a zero-trust mindset and move beyond the idea that a perimeter is going to keep you safe," she said, noting that insider threats exist.
A solution to the two competing forces, she advised, is to bring in security experts early in software development so there's a dialogue and an understanding about each other's expectations and what is possible.
A particular area where transparency is necessary, she said, is having a good dialogue with cloud providers to aid in managing risk and reducing uncertainty.
Manfra also suggested that the "digital fortress" mentality that aims to keep intruders out can also hamper the innovations offered by commercial clouds, such as data analytics, artificial intelligence and edge computing.
Ranks and Manfra both emphasized the importance of having a well-trained workforce. They said not everyone needs to know how to code, but everyone should understand the fundamentals.