Enabling the Software Defined Data Center
Centrally define security policy
Security policies move with VMs
Reduce security as a choke point; accelerate business agility and responsiveness by... more »
We'd have to drive conversation to the point where the rubber meets the road, by which I mean an action or behavior, performed by a person, which creates a particular harm. Assuming we could categorize the harms in a way useful for analysis... more »
1. Establish “white hat” teams that test employees through phishing and spear-phishing intrusion testing.
2. Change enterprise email policy to only allow plain text, preventing unintentional click-through threats.
3. Similar to the “Cybersecurity Tip of the Day” concept, establish a “Cybersecurity Blunder of the Day” program.
• Cyber-attackers have no fear of retaliation, risk or viable legal proceedings.
• There is no U.S. Government legal doctrine to counter cyber-attacks on U.S. industries, governments and citizens.
• The U.S. Government does not have the cyber capacity to protect U.S. industries.
The U.S. Congress should create a newly crafted Cyber-Castle Doctrine legislation for a legal framework for U.S. industries... more »
Perhaps an alternative is providing prioritization for allocation of existing funds (This mandate is #1, then this exec order etc etc).
With the "public" availability of such a list, audit should become more effective,... more »
Use Cyber Investment Management Boards (DOD example) where cyber projects are presented, defended, and measured against outcome based performance measures for funding. Helps get cybersecurity accountability as a shared responsibility across senior leadership of the organization and to understand costs and risk benefits.
Cyber Tips of the Day – first thing to pop up on intranet logon-screen would be a cyber awareness question (with ability to quickly check against answer). These would be focused on knowledge leveling, increasing awareness of vulnerabilities created by SPAM/Phish attacks, etc. etc.
Create a self-audit checklist that agencies could use on a regular basis to assess themselves on fundamental security capabilities. It would be risk profile based for each agency. Addresses the problem of just having this done by auditors (GAO/IG) or consultants. Keeps attention and resource needed to close weaknesses and vulnerabilities.
Note: FCC is example.
1) How do we move from inconsistent security/privacy protection control approaches to solid fundamentals that address most basic risks faced by agencies?
Leverage the self audit capability of the SEC as a guidance for other agencies.