My perspective on the outlook for cyber initiatives is quite different heading into the New Year than in past years.
While there are always budgetary uncertainties and looming cuts in government IT spending, this year, we face an unprecedented financial uncertainty as our nation stands on the edge of a fiscal cliff. That will impact not only the resources we have to invest in technology, but how people work and live. Keep reading →
The DHS Task Force on Cyber Skills released a much-anticipated report last month on the state of the cyber workforce within the Department of Homeland Security.
Commissioned in June 2012 by Secretary Janet Napolitano, a group of government and industry leaders was tasked with “identifying the best ways DHS can foster the development of a national security workforce capable of meeting current and future cybersecurity challenges.” The group was also charged with “outlining how DHS can improve its capability to recruit and retain that sophisticated cybersecurity talent.” Keep reading →
Communication about the perils of taking inappropriate risk – and how to accept or not accept IT risk in government – is seriously lacking these days. There is clearly a link missing in the chain that connects government business managers with matters of importance such as IT risk.
Take for instance, the Utah data breach and all of the “lessons learned” that have been discussed since following a data breach that exposed the health data of 500,000 people and social security numbers of 280,000 Utah Medicaid recipients. The incident, which took place earlier this year, led the executive director of Utah’s Department of Technology Services to resign in May. Keep reading →
In the wake of Flame, there have been many interesting headlines bubbling up over the past several weeks regarding policy development of cyber “offensive” measures and the future of overall worldwide cyberwar policy. Perspectives vary greatly as to the future of cyber offensive measures, with one author going so far as to say that the world will be a better place when war strategies shift from the physical to the cyber realm.
One thing is clear – discussions of ‘striking back’ at an entity that has just hacked a government system or retaliating when a breach is identified signals a significant change in the traditional US Government mindset and combat philosophy in general. Will the change from a primarily defensive strategy in securing government systems to an “offense” mentality improve our national security posture? Likely so. Are we prepared to engage? It appears we are even willing to make a first strike. Keep reading →
Our organization, (ISC)² recently participated in the IT Acquisition Advisory Council’s 40th IT-AAC Leadership Roundtable, where high-level cloud stakeholders came together to discuss cloud security, FedRAMP and beyond.
Although I was unable to engage live in the roundtable discussion, I do have some thoughts for government officials to consider as they address the many complexities of securing an initiative that holds more promise for the federal government than any other IT innovation in decades — the cloud. Keep reading →
For those tasked with managing risk throughout the enterprise, and who follow my blog postings, you’re familiar with a theme I stress often regarding information security best practices: “An ounce of prevention is worth a pound of cure.”
For practitioners and managers tasked with enterprise risk management, you can apply this approach to all your decision-making, whether you’re looking to make new technology purchases, implement new policies, and, perhaps most importantly, hiring new people. Keep reading →
What do well-balanced information security professionals look like, and why should the government be hiring them?
With the release of the National Initiative for Cybersecurity Education (NICE) Framework and much talk about the cyber human capital crisis, one question that keeps coming up is “what type of information security professional should agencies be hiring?” Keep reading →
When someone says they shop at Costco, you can likely assume they are either: 1) a member of the public seeking lower cost options to everyday expenses 2) a member of the retail community seeking to apply margins to low cost products. Either way, shopping at Costco or any other wholesale warehouse seems to have become a means of survival for those weathering the last few years of the infamous economic “downturn” and a symbol of consumer adaptation.
In a federal technology-focused e-newsletter this week, I was humored by use of the term ‘Costco Federal’ when referencing the strategy and tactics some agencies are using to procure the latest IT products. While the popular wholesale warehouse chain is not, to my knowledge, currently competing for large government IT procurements, the term undoubtedly demonstrates a resounding anticipation of the need to “save money” as we enter the next fiscal year. Given the strained economy, coupled with the uncertainties of an approaching election year and headlines like “Budget austerity is coming — what should you do?” , I think it is safe to conclude that today’s IT purchasing decisions are being greatly influenced by a knowledge of the inevitable — budgets WILL be cut. Keep reading →
Throughout my years in government, I engaged in many discussions regarding the convergence of information and physical security assets. While the “why-fix-it-if-it-ain’t-broke?” argument advocating the effectiveness of maintaining the separation of logical and physical security still stands strong in some circles, there is no doubt that convergence has become a growing fad.
At (ISC)2, we often poll our members on topics that represent a potential impact on the information security profession. Just prior to our recent (ISC)2 Security Congress, co-located with ASIS International’s 57th Annual Conference & Exhibits,we took the opportunity to poll our members on the integration of traditional and information security and discovered that many hold to the belief that information security and physical security should not be separate but equal and complimentary entities. Keep reading →
In my last blog posting, I expressed my thoughts on the importance of taking a holistic approach specifically to addressing the recent proliferation of software vulnerabilities. But truly, this approach applies to addressing all cybersecurity vulnerabilities.
I was reminded of that this week when I read a well-known security figurehead’s very myopic response to a newly released cyber education strategy, called the NICE Strategy, implying that the strategy will have little or no impact if it is not updated to focus on developing critical ‘hands-on cybersecurity skills’. Keep reading →