The cutting-edge conundrum: Why federal agencies can’t compromise on security

Invicti sat down with Ryan Cote, former CIO for the Department of Transportation, to chat about AppSec in government and how agencies can modernize security.

The cutting-edge conundrum: Why federal agencies can’t compromise on security

2021 was a banner year for cyberattacks, with reported breaches increasing by 68 percent. The record-breaking number of 1,862 data breaches put previous years to shame, especially considering industry-rocking incidents like Log4Shell, which had most organizations in the public and private sectors scrambling to secure their supply chains. Attacks aren’t slowing down, and they’re not getting easier to combat, so why isn’t security adoption keeping pace?  

A string of efforts from the government – like a new OMB memo and the executive order on cybersecurity – aim to combat software security threats and get ahead of potentially damaging data breaches. But the road to improved security posture in the public sector can seem steep and winding, even more so when agencies are still relying on outdated legacy systems and tools that hold their teams back from modern web application security. 

What worked well ten years ago simply isn’t good enough today if agencies want to safeguard their information, prevent breaches and attacks, and future-proof their security processes with cutting-edge technology. I recently sat down with Ryan Cote, former Chief Information Officer (CIO) of the U.S. Department of Transportation (DOT), to discuss some of the hurdles agencies face when securing their software and see why they need to take modernization seriously. 

A breach is more expensive in the long run

A lack of budget can easily push application security initiatives to the wayside, even in a government agency environment. But when the worst happens because you weren’t prepared, breaches and cyberattacks cost a pretty penny: according to IBM Security’s Cost of a Data Breach Report 2021, between 2020 and 2021, the average cost of public sector data breaches skyrocketed to $1.93 million. The surge of cyberattacks coupled with increasing financial impacts means dedicating part of your budget to security is more important than ever. 

With a glaring digital target placed squarely over government agencies, one piece of the puzzle is investing in a comprehensive platform that helps scan your software at each critical stage of the development lifecycle. And while getting stakeholders to agree on that investment might be a challenge in itself, the repercussions of not investing in modern application security can come back to haunt agencies. 

It can take a while to adopt new technology

As Ryan notes, it can sometimes take government agencies years to build applications, which is part of the conundrum in the race to modern technology. That means implementation is more of a hurdle for some agencies, especially when tools require a lot of setup time or adjusting. Agencies need solutions that integrate right into their existing workflows so developers and security professionals can start scanning from day one. 

Speed is an ever-critical factor in software development and security is an area where shifting left can lessen the burden. Adopting modern application security tools helps agencies integrate accurate, automated security checks earlier on in the development process, which saves time and reduces manual work. When tools plug directly into existing workflows and processes, developers can get started quicker, with fewer barriers to adoption. 

Combining tools saves time and keeps everyone honest

As Ryan explains, it’s common for government agencies to “have outdated legacy solutions that try to do the same things in application security with vulnerability scanning.” By moving to a single platform where everything is streamlined, integrated, and continuous, agencies are able to consolidate their tools and save money. A single platform reduces scan time and improves prioritization, too, which is a stress saver for developers chasing deadlines. Instead of managing six tools, teams have everything they need in one place with reliable, accurate results.

Accurate reporting matters in your application security program, providing clarity and accountability. Ryan suggests weekly standups to review dashboards and track improvement. “When you start pointing to numbers, people begin to work towards getting that number down,” he explained. The benefits are two-fold, uncovering areas that need improvement while also highlighting team wins. 

Just as reporting helps keep everyone honest, it’s a great way to celebrate progress and benchmark goals. Having clear data on hand that shows which agencies are remediating vulnerabilities and bringing down their security debt is a great proof point for success and encourages others to adopt best practices that improve security posture.

It’s a culture change with a lasting impact for all

If we want to make meaningful change, Ryan stresses the need for leadership that fosters a security-minded culture. Cultural transformations start at the top, whether you’re running a federal agency or a small business. They help break down communication silos and empower employees to speak up, lending a hand in changing processes for the better. 

But having a culture focused on security is also about making changes quickly for more effective digital transformation, Ryan says. Leaders need to take action and implement tools without delay, then work with the entire agency on adoption of security best practices. “We acted with speed, purpose, and intensity, and we knew that digital transformation and IT modernization was something that was absolutely critical. We couldn’t afford to wait.”

One of the ways the DOT is attempting to expedite change, Ryan says, is through a newly formed and filled position for an Associate CIO for Application and Digital Solutions, alongside the recently-formed DevOps council that acts as a catch-all for application security needs. With a DevOps council in place, it’s easier to get department-level stakeholder buy-in, ensure that everyone is on the same page with application security, and keep tabs on each new application that’s developed. Leaders that step up to own these initiatives and make them a part of everyone’s job have an easier time establishing effective application security cultures that last. 

Curious how Invicti’s solutions help government agencies modernize their approach to software security? Learn more about achieving web application security without compromising on speed for agility.