Gaining Network Visibility Helps Boost Security
“Knowing where all your devices are is step No. 1, and this is, believe it or not, the major thing that organizations do struggle with,” he adds. The New Jersey Courts system had made progress on this front, Naseem says, and then was able to identify what kind of traffic was coming into the network and when.
This can be implemented through network access control technologies, Naseem notes. The next step the court system took was to classify different devices into buckets and make consistent policies for how each kind of device is allowed to interact with the network.
Naseem tells Government Technology that what keeps him up at night relates back to what he calls an “engineering problem.”
“To me, everything is about defining things in a big-picture format, then acting on it with an engineering mindset and then training the operational teams to be able to deal with it,” he says.
A key priority for Naseem is to “make sure that those actions by the operational teams are directly in line with the way that we’ve engineered the systems. Did the overnight operational teams know how to act on a particular engineering rule that we’ve created? We’ve seen so far that they know how to do that, but it’s an ongoing situation.”
Security Awareness Training Is Critical
In addition to gaining greater visibility into the court system’s network, Naseem has been working to enhance users’ security training, including IT staff.
“So without knowing where all your devices are you can’t protect it, right?” Naseem tells CyberScoop. “Without having the proper staff to look at the policies to look for any gaps, to be resilient and persistent in following different threats, is key.”
Naseem says his staff has cybersecurity awareness, but also has what he terms cybersecurity readiness and performance.
“To me, awareness is knowing something, and readiness and performance is having the right amount of knowledge and the right amount of training to be able to act on a problem,” he tells Government Technology. “We actually measured cybersecurity readiness and performance of our staff for many years beforehand. This is unique. We weren’t talking about it, but we wanted to know the knowledge, behavior and attitude of our employees. We measured that mathematically.”
“One of the steps we’ve been taking is looking at the high-profile users — someone who doesn’t have the right amount of knowledge about phishing — and asking, can we monitor them differently?” Naseem says. “Can we act on them differently?