Making the workforce place fun again with eMASS automation to accelerate RMF accreditation.

There are many reasons to pursue a career in cybersecurity. Across the board, cybersecurity roles offer abundant employment possibilities, competitive pay, growth opportunities, job security, exciting day-to-day tasks, and the chance to make a difference.

But what if your day-to-day is neither exciting nor fun? What if, instead, it consists of long days and much stress? the work environment can be nerve-wracking and overwhelming if you are a security engineer, CISO, or security analyst working in security compliance. The rise in data breaches, cybercrime, and workforce shortages, it’s enough to make anyone anxious and on edge.

As technology rapidly evolves, so do the tactics used by cybercriminals, adding an underlying layer of stress to the work of protecting the nation’s infrastructure and networks. So how can anyone cope with all of this AND do more with less when time and resources are at a premium?

Taking a look at life in the cyber trenches

Let’s face it. In today’s cybersecurity work environment, no one will ever have enough money for compliance. There will always be enough money for the underlying security, but will there be enough people for it to be fully effective? For the foreseeable future, today’s cyberworkforce challenges will leave even the best funded organizations shorthanded.

We searched the internet to see how that is leaving cybersecurity professionals thinking and feeling and what we saw amused and saddened us:

• “Crying in meetings mostly. But in all seriousness, it’s a large privately held company that never really thought about infosec but is trying to get investors and is facing audits, so it decided it needed a CISO who hired me. I’m building the team, guiding a bunch of projects and herding cats.”
• “I drink a lot, my back and shoulders are shot, my eyes suck, and I don’t sleep. I do get paid a lot, though.”
• “You sound like me. I don’t get paid fairly for what I do. I actually wish they got a real threat attacking their systems so I can say ‘I told you so as I walk out to enjoy the flames from the outside.”
• “We have a lot of ground to make up. Adversaries are outpacing us faster than ever it seems.”
• “Not CISO, but in a similar situation. Can relate. Don’t drink but, I’m overweight.”
• “Went from architect in infrastructure to Infosec a few years back after solving a bunch of security related issues there only to inherit a million more.”

What you see in every one of those anecdotes is stress. The work they love has—because of workloads, company processes, or the nature of the industry—caused them physical and personal issues they didn’t expect.. And, sooner or later, most (if not all) of them will leave their jobs for something less stressful. Like air traffic control. Or lion taming. And the cyberworkforce shortage will continue.

But what if there were a way to cut out a lot of the stress and annoyances while leaving the culture you enjoy intact? An example would be automating the merge of SIEM and eMASS data and having both methods match your checklists, automated systems, and logs because sound rulesets and policies ensure the processes are running effectively, efficiently, and easily for analysts. As a result, something that used to take 100% of your time (and patience) now takes 20% of your time and leaves you free for  tasks only humans can do.

Making work fun again with eMASS automation

Today’s eMASS subsystem enables system owners to record asset information on servers, workstations, network devices, etc., and upload applicable scans and Security Technical Implementation Guide (STIG) checklists. eMASS automatically applies a “mapping” of STIG items to security controls such that any STIG item not implemented will result in a corresponding security control being labeled as non-compliant.

There are four significant areas where automation can be applied to provide a real advantage to the operationalization of cyber compliance within the DoD:

1. Automate and reduce the effort/errors in merging non-technical CKL data with machine-generated technical data
2. Automate and simplify the production and input of compliance data into eMASS
3. Automate and reduce the effort to produce, name, and store a fully populated STIG Viewer Checklist in bulk (by the 1,000s)
4. Provide complete CKL data to SIEM data feeds so that complete compliance data is easily accessible through integrated enterprise dashboards

As you can see, this alone drastically reduces the time it takes to merge, scan and store compliance data. The part of automated eMASS compliance is the rote procedures that drive professionals up the wall and cause stress, so everybody wins.

Accelerating RMF accreditation to the delight of employees

Another significant benefit to automating eMASS is accelerating your RMF accreditation. Loading STIG Viewer Checklist data into eMASS is burdensome. Still, it gives you a comprehensive view of your manual and machine configuration management and cybersecurity checklist, which is extremely valuable for RMF accreditation.

SteelCloud worked with the DoD to reinvent the cumbersome effort needed to complete and load STIG Viewer Checklist data into eMASS. SteelCloud’s ConfigOS automates the integration of CKL, eMASS, and SIEM data. Merge the CKL and machine data to create bulk checklists, consolidated ARF/ASR eMASS files, and/or consolidated JSON files to populate our DashView Splunk dashboard or your chosen SIEM for a real-time view of security and compliance.

Using automation to solve the workforce crisis

As professionals in every industry and job description tell you, a job isn’t just a job. And if it is, you’re not doing it right. It is an integral part of our lives from which we derive pride and fulfillment. A good job makes us feel good about ourselves. And a lousy job makes us want to leave.

Admid a workforce crisis as bad as we are in, employers would need to clone employees out of nothing to have the resources required for compliance. And that’s essentially what automation does—it takes your employees and multiplies their efforts. For example, a like SteelCloud’s ConfigOS can remove 90% of the effort involved with compliance, enabling one person to do the scanning and remediation work of an entire team. And that person can be a lower-level cybersecurity professional who learns the business better just by using ConfigOS.

Whether you use it for eMASS or STIG compliance, automation is the only viable answer to the cyberworkforce shortage. It gives your well-educated, highly paid experts a break from work beneath them. And it provides  organizations a faster, less expensive, and more accurate way to achieve compliance. But, best of all, it makes work fun again. And in the end, that will ultimately grow the industry and its supply of qualified workers.