CISO Advice from CTO Roopangi Kadakia on Federal Cybersecurity
CISO Advice from CTO Roopangi Kadakia on Federal Cybersecurity
Federal cybersecurity challenges are universal and yet unique — every organization faces cyber risk, but the nuances can change based on the organization’s mission, size, customer data, and more. We reached out to Roopangi Kadakia to uncover the latest federal cybersecurity trends, challenges, and best practices for chief information security officers (CISOs).
Roopangi has worked as a CTO and CISO in both the public and private sector and has dealt with a variety of federal cybersecurity-related challenges, including budget constraints (of course), an IT-enabled world, and unintentional but dangerous insider threats. We are so pleased to have the opportunity to speak with her and learn more about the work she has done to protect several different organizations from cyberthreats.
Q&A with Roopangi Kadakia
Please tell the readers about your current role, company, and relationship with LogRhythm.
I am the senior vice president and chief technology officer for XentIT, which was founded in 2006 and is a cybersecurity firm with over 600 clients in federal, state, and local government as well as in the commercial space. We also have a wholly owned cleared subsidiary working with government customers. We specialize in federal cybersecurity and compliance, secure cloud, DevOps, managed services, and technology reselling services. We function as a virtual and seamless extension of our client’s service and delivery organization providing high-value, high-performance, and high-quality business information solutions. We understand the complexities of our client’s business model and deliver solutions that fit their needs.
XentIT is a gold partner of LogRhythm providing professional and reselling services. We use LogRhythm products in our cloud security stacks which are available in both the Azure and AWS marketplaces.
You’ve previously acted as the CISO or CIO for several companies and federal agencies. Can you explain more in detail about your past experience?
I have over 25 years of government and international technology and cybersecurity experience. On the federal side, I have been the Deputy Assistant Secretary, Chief Information Security Officer, and Chief Cloud Strategist for the Department of Veterans Affairs; Web Services Executive at NASA; CISO for the International Finance Corporation of the World Bank Group; CISO for Department of Homeland Security, Science and Technology Directorate, and Technical and Security Director for FirstGov (now USA.gov) at the General Services Administration.
On the commercial side, I worked at Capital One as Senior Director in the Cyber Risk Management organization. So, I’ve had to balance several priorities for cybersecurity risk and overall risk perspective, including; financial risk, protecting intellectual property, and securing a company, agency, or department’s infrastructure from cyberattacks.
With so many different roles and at different levels, did you find the same cyber challenges at each agency or company? If not, what did you see that was unique to a specific organization?
Well, some challenges are unique to an industry such as public sector. One thing that we had to consider as part of the impact of a breach at an agency is the effect that it would have on public trust. Since government agencies are taxpayer-funded and taxpayer-serving, public trust is a critical element of delivering the services and mission that each agency is responsible for. If people don’t believe that their data is safe with the government, they may be less likely to engage with us, or take advantage of the taxpayer-benefitting services that we’re offering. We had to think about that when weighing the impact of a breach, because that’s an additional “cost” that can impact corporations in a different way. Risk for a government agency that relies on public trust is different from corporate risk. Something that a corporation considers low risk, could still be medium-to-high risk for a government agency, since any breach is publicized and impacts how we engage with our citizens or customers.
Sometimes the challenge is the same for government as it is for the private sector. When I was at NASA, we knew that we had a lot of valuable IP that other countries wanted to get to. It was a given that they were attacking us daily to find a way into the network and exfiltrate whatever data they could get their hands on. We had to assume that they were already inside and focus on internal defenses as well as the perimeter. Maybe they hadn’t gotten inside yet, but someday and somehow, they would, and we needed to be ready. Nowadays, assuming attackers have already gotten into your network, or eventually will, is standard practice for CISOs and security teams, but even a decade ago the general understanding and culture of cybersecurity had not progressed that far.
We started looking at data inside the network and focused on how we could encrypt it as an additional layer of defense, which comes with multiple facets such as encryption in transit and encryption at rest. That requires a ton of tasks and tools to be coordinated in a seamless process in order to protect critical data, while still allowing the internal user to access what they need. To do that with every piece of data and file, is a monumental task. Instead, it’s important to think about what needs to be encrypted and protected by determining your risk factors.
Is there anything else you believe will become a standard for cybersecurity teams over the next 10 years?
Yes, I think we’ve seen an awareness of cyber risk at the executive level grow over the past five or ten years, and that will continue to increase in the future. Right now, cyber risk is one element of the overall risk posture of an organization. There are many other factors to consider such as financial risk, personnel risk, industry-specific risk, and more. Cyber risk should be a part of every decisions made in an IT-enabled organization.
I’ll give you an example. I joined one agency and started working with a team of engineers who had a good understanding of cybersecurity. Before I got there, they had spent some time looking for ways to share data and collaborate more quickly and efficiently, settling on Google Docs. This was when cloud-based services were just becoming widely known and used, so the security concerns weren’t as well understood as they are today. The data that these engineers were working with was export-controlled data. When you’re using cloud-based platforms, or really anything external to your organization, you don’t have total certainty of where that data is stored or who has access to it. The consequences for mishandling export-controlled data can be up to $100,000 of fines per document, plus jail time.
This is a good example of how cybersecurity — especially federal cybersecurity — needs to be a part of every decisions made and why you should include members from every level into the process. These engineers saw an opportunity to work together more efficiently, but they forgot to factor in cyber risk. Cyber risk isn’t just dealing with a breach or an attempted attack. Cyber risk can be increased or decreased with every action we take and every link we click on. When you are looking at your security posture, you must look at the aggregate of behaviors across the organization. Is someone accessing sensitive data more often than they normally do? Or accessing something sensitive that they do not routinely use in their role? That is a risk even if they have not done anything with the data yet. Cybersecurity is about more than paying attention to behaviors and actions that are overtly malicious or risky. It is also about tracking behaviors that could introduce risk and making sure those are addressed.
What other tools and best practices do you see as being helpful to a CISO and SOC team as they look to make cybersecurity pervasive across an enterprise?
First and foremost, all decisions need to be made with cybersecurity in mind, not just in the IT organization or at the CISO level, but at the user level as well. So much of our daily work happens from connected devices now, and that means individual users can raise or lower the cyber risk of their organization quite easily.
At the organizational level, resource constraints are always an issue. As a CISO, you could have five hundred challenges and either address ten of them well or one hundred of them not so well. You only have so many resources available, so there are two things you can do. The first, is to pick your biggest priorities and address them as best you can. Or you can offload as much as possible using tools that can automate the work for you, so that you can focus on necessary tasks.
Continuous monitoring is a big focus right now from a cyber perspective. Any time you have events or changes that can impact your risk posture, you must make some risk-based decisions about how to proceed. It’s not a scheduled cycle — it’s ongoing — and you must pay attention every time there is an event that can affect cybersecurity. If a tool can tell me when a decision or review is needed, that is critical. This is going back to events that may impact cybersecurity but aren’t security-related events such as the engineers using Google Docs to share export-controlled data. Every action taken with an IT-enabled device can impact security, so how does a SOC team with limited resources keep track of everything that’s happening and know when something requires investigation? The scope of data that needs to be monitored is too huge to be done by people, so I look for tools that can intelligently monitor it for my team with the ability to alert us when human review or intervention is needed.
There is a lot that CISOs and security teams need to monitor, relying heavily on technology to get the job done. In your roles at DHS, the VA, and World Bank, what requirements did you keep in mind any time you were investing in new technology
In all my experience, I only built a SOC from the ground up one time. It’s far more common to take the existing set of security tools and look for ways to augment those capabilities rather than starting from scratch. When I consider new technologies, I look at what the cost of operating that technology would be, not just the initial purchase price. Other factors to consider are how many people would you have to train to use it or how long does the training take and how much would it cost. I knew of one agency using a SIEM that required multiple dedicated engineers in order to customize any rules that needed to be written. That did not work for my team, as we did not want to spend funds on the additional headcount that would need to be maintained every year.
Another thing to consider is vendor lock-in. Federal agencies know that there will be contract changes every three, five, or ten years, so we want to make sure that there is a way to move from one vendor to another. It doesn’t mean that we will, but if you have too much IP that is hard to transition to something else, that becomes a negative when you are looking at it from a requirements or contracts perspective. It’s important to know if there are APIs that will help move data at the end of a contract.
Today, I would think about integrating security into agile practices. When we use agile practices, we need to look at events that could create security issues. For example, this could be a misconfiguration because you are moving fast, or your change management practice has a gap that leads to holes in your security posture. When you have shared infrastructure, you can have security vulnerabilities that are an aggregate of minor issues. A lot of that is through misconfiguration and missed change controls. Be sure to look at all possible data and think about behaviors that can impact security, even if they are not directly security related.
Any last takeaways or words of wisdom for CISOs and CIOs to consider?
CIOs and CISOs are responsible for setting policy, aligning resources, and running the security team, but they also need to drive a culture focused on cybersecurity, at every level of their organization. There are simply too many ways for attackers to get in — especially as we see everyone moving to remote environments for the foreseeable future, adding new devices and network connections. Cybersecurity is about more than maintaining the network perimeter or securing devices. We need to bring an awareness of cybersecurity into every decision made across an organization, since cyber risk can be introduced by any user at any time.
Thank you, Roopangi, for sharing your experience and valuable insight on the ever-changing landscape of federal cybersecurity. From all of us at LogRhythm, we appreciate the work you have done to help countless teams and organizations protect valuable data and national intelligence throughout your tenure.
Achieve Federal Compliance with LogRhythm
CISOs in the federal space have a monumental task to keep up with the growing landscape of cyberthreats, but not every organization has the budget or resources to staff a fully funded 24/7 SOC. As Roopangi stated, investing in the proper tools to automate some of the workload can help security teams get the job done efficiently.
LogRhythm has worked with CISOs from Civilian and Defense agencies to increase their security maturity by addressing the evolving threats and challenges with a full suite of high-performance tools for security, compliance, and operations. LogRhythm’s comprehensive log management solution helps federal organizations comply with a myriad of regulations (e.g., FISMA, NERC CIP, HIPAA, DoDI, and NIST CSF) and combat cyber threats.
Speak one-on-one with a product expert to learn more about how LogRhythm can help your team achieve federal cybersecurity compliance.