Current security tools independently address weaknesses; suites of tools offer more complete... more »
1. Size – Measure overall risk exposure across the organization's value chain
2. Monetize – Adopt a defensible framework for quantifying the benefits of cybersecurity investments
3. Operationalize... more »
We'd have to drive conversation to the point where the rubber meets the road, by which I mean an action or behavior, performed by a person, which creates a particular harm. Assuming we could categorize the harms in a way useful for analysis... more »
1. Eliminate “paper tiger” credential requirements. Focus instead on competence.
a. Integrate experience with price; lowest price technically acceptable should not apply in this arena.
2. Standardize cybersecurity processes across government (reference different physical security procedures in place across civilian agencies).
3. Incentivize citizens and the private sector to support a strong cybersecurity posture. Build on the Cybersecurity... more »
Establish SLAs and/or performance metrics for threat detection, incentivizing contractors.
Data anomalies don’t necessarily catch the extrusion of compressed data and it must be consistently and constantly applied across government. However, the technology is there for content encryption; polices are needed that govern content distribution/risk, allowing focus on critical risks.
1. Approach cybersecurity the same way government now approaches Section 508 compliance – embed it from the start through the finish.
2. Make available a real, visualized threat dashboard to business process owners to educate them on the scope of threat in today’s environment.
1. Establish “white hat” teams that test employees through phishing and spear-phishing intrusion testing.
2. Change enterprise email policy to only allow plain text, preventing unintentional click-through threats.
3. Similar to the “Cybersecurity Tip of the Day” concept, establish a “Cybersecurity Blunder of the Day” program.
• Cyber-attackers have no fear of retaliation, risk or viable legal proceedings.
• There is no U.S. Government legal doctrine to counter cyber-attacks on U.S. industries, governments and citizens.
• The U.S. Government does not have the cyber capacity to protect U.S. industries.
The U.S. Congress should create a newly crafted Cyber-Castle Doctrine legislation for a legal framework for U.S. industries... more »