Peter Romness is passionate about cybersecurity. He has been working with government customers for nearly 35 years and now, as cybersecurity principal in the CISO Advisor’s Office at Cisco, he focuses on protecting government networks from cyber threats. MeriTalk recently sat down with Romness to discuss how state and local governments and higher educational institutions are investing and gaining knowledge to guard against cyberattacks.
MeriTalk: State and local governments are prime targets for cyberattacks because of the data they hold and their role as providers of citizen services. The Infrastructure Investment and Jobs Act (IIJA) spotlighted critical infrastructure protections, as did the National Cybersecurity Strategy. How have recent Federal legislation and policy bolstered cyber protections for critical infrastructure at the state and local level?
Romness: The current administration deserves some credit. A lot of really smart people have looked at this and provided guidance to state and local officials on what is important for critical infrastructure protection. Through legislation and strategy, they are raising awareness, and they are backing it up with IIJA money – localities can apply for various funding streams. Cybersecurity teams are often looking for that extra lever to use internally, to get funding or buy-in, and it helps if they can say this is something the Feds are pushing. Then they’re not just alone, screaming in the dark anymore.
MeriTalk: Where are state and local governments prioritizing investments in cybersecurity for critical infrastructure? What more do they need?
Romness: State and local organizations can vary greatly in their cyber maturity, but the general theme is that they are trying to get their arms around everything. The most mature organizations are heading toward connecting their security tools across their IT and OT networks so they can start automating processes. Others still take essentially a Band-Aid approach: They buy a new solution for each cyber problem that pops up. They wind up with so many solutions that potential cyber threats are overlooked for lack of coordination.
I don’t envy anybody who does this job. The technology is tough, and so is the human factor: implementing the easiest technology can take a year or more because organizational change around cybersecurity is hard. Inside Cisco, our approach is the easier we can make it for the end user, the easier it is for the security teams to implement solutions.
MeriTalk: The easier the better. How would it play out for state and local governments?
Romness: A perfect example is multifactor authentication. If you look at zero trust guidance from the government, it says the first thing anybody should do is multifactor. Five years or so ago, I remember trying to get multifactor authentication programs started at various organizations, including state and local governments. As soon as a leader couldn’t immediately log in, the rollout would stop because it was too hard. Today, users realize that multifactor authentication is important, and that’s because companies like Duo, which Cisco bought in 2018, have made it easy. As a security person, I look at that and say, ‘Finally, we’re not being a pain to the end user. They can see we are adding value.’
MeriTalk: Let’s talk about education. Educational institutions are also treasure troves of data – and frequent targets of bad actors as a result. Where are schools prioritizing investments in cybersecurity?
Romness: The unique thing about schools, especially higher education, is that they want to be open environments, open to learning and people. That can pose cybersecurity challenges – but it’s also why universities tend to have more mature cybersecurity programs than state and local governments. They have recognized the need to protect their research data and intellectual property and to secure personal information. They even hire students for their cybersecurity teams. That’s all good news, but they can always do more, and they are now focused on making their security even more efficient and making sure they can see more of what’s happening in their environments.
MeriTalk: When you get to see everything that’s going on in your environment, you get a lot of noise. How do you figure out where to focus?
Romness: If you buy multiple security tools, each one usually picks up noise, and then between them signals can get lost. I call it swivel chair automation, where a person working at a console swivels and says to a colleague at the next console, ‘Hey, did you see any indication here?’ That’s hard when you have 30 devices looking at your environment. As we scan, we are also seeing cyber attackers starting to use common tools for nefarious purposes. If you look at their actions in isolation, you would see what looks like normal traffic. But if you combine the signals from all of your tools in one place, all of a sudden that normal behavior indicates a potential compromise.
Then you can determine where to act. That’s where artificial intelligence (AI) comes in. Cisco has been using AI for quite a while. Several years ago, we purchased a company called Kenna Security, which uses AI to help organizations prioritize their responses to cyber threats. The average threat-hunting organization at a company, school, or local government is able to address about 10 percent of the indications that they get, so it’s really important to take a risk-based, automated approach to cyber remediation. One higher education organization I worked with told me that a normal threat investigation used to take two weeks. Now it takes 15 minutes.
MeriTalk: What advice can you offer organizations that are struggling to prioritize and act on cybersecurity alerts?
Romness: Don’t throw away everything you have – much of it can often be repurposed or reset. We train our people to help customers understand what they have, set goals, and make a plan. It’s not rip and replace – it’s modify and add as appropriate. Many people don’t know, for example, that the network devices in their environment can be used as sensors and control points for cybersecurity. It’s just a matter of how you connect security devices to them. Overall, my advice is to create a secure environment leveraging the security tools that you have and check it against the National Institute of Standards and Technology Cybersecurity Framework to determine if you have any gaps.
MeriTalk: Can you tell us a bit more about how Cisco helps bolster cyber defenses, especially threat detection and response?
Romness: The extended detection and response product that we call Cisco XDR correlates all security telemetry from multiple tools, including intelligence from third-party products, covering endpoints, email, network, cloud, firewall, and more. The idea is that the more you can see, the more you can protect. Integrating all of your security solutions into this one tool changes the very nature of the security defender’s job. It is no longer looking at logs and the tedious stuff of protecting a network. It becomes, ‘Whoa, here are some interesting indications of compromise, and it correlates across all these vectors.’ That’s a much more interesting and efficient job – and it makes the organization safer.