kudos icon +

7. Executive Leadership-led Risk Management

Money Doesn't Grow On Trees - Focus Your Spend

Federal executives continue to grapple with how best to allocate funds in addressing prevalent and emerging cyber threats. Federal agencies can empower executives in the fight against cyber crime by taking three calculated actions:

1. Size – Measure overall risk exposure across the organization's value chain
2. Monetize – Adopt a defensible framework for quantifying the benefits of cybersecurity investments
3. Operationalize... more »

Voting

15 votes
Public Input
kudos icon +

8. Building Effective Security into Acquisitions

IT Hardware Country of Origin Limits

With the preponderance of IT devices and chipsets being manufactured in China, there is a distinct possibility that the PLA is hard-coding spyware and back-doors in the hardware built there. Acquisition laws need to specifically require that all components & sub-components used in sensitive IT / data communications systems be built / fabricated and assembled by U.S. companies in the US. Further, safeguards (inspections... more »

Voting

8 votes
Public Input
kudos icon +

8. Building Effective Security into Acquisitions

Working with Insurance Industry for Standards

There is a rapid increase in cyber insurance across the commercial landscape. This is getting the C-level attention because the risk and costs are being codified into actual numbers, not just fear of something bad happening. The Federal Government should leverage off this trend and require all Government contractors to have a level of insurance, which will likewise drive a level of accountability and measurement. This... more »

Voting

7 votes
Public Input
kudos icon +

1. Addressing Cyber Fundamentals

Cybersecurity is everyone’s responsibility

Although the OPM breach has been the major source of cybersecurity discussion the past few months, it is certainly not the only issue that needs to be addressed. During the panel discussion at the NACo Summit we also covered topics like the White House Cybersecurity Sprint and how to better protect systems and data for long-term security.
If you are not familiar with the 30-day White House Cybersecurity sprint, it is... more »

Voting

6 votes
Public Input
kudos icon +

2. Business Initiated Vulnerabilities

President and CEO

We talk about these issues inside the beltway everyday the THR CIO community. The business owners need to get a job done and take care of their customers. Again it comes down explaining in business oriented words to make the business owners understand not the cyber language. WE also need to do a better job explaining this outside the beltway. There needs to be a coordinated education blitz that is explained over and... more »

Voting

5 votes
Public Input
kudos icon +

8. Building Effective Security into Acquisitions

Enforce existing requirements

In 2011 the White House via OMB issued a Memo M-11-11 that stated "Effective the beginning of FY2012, existing physical and logical access control systems
must be upgraded to use PIV credentials , in accordance with NIST guidelines, prior to the agency
using development and technology refresh funds to complete other activities." https://www.whitehouse.gov/sites/default/files/omb/memoranda/2011/m11-11.pdf. This memo, had... more »

Voting

5 votes
Public Input
kudos icon +

7. Executive Leadership-led Risk Management

Executive led RIsk Mgmt.

Executive Leadership-led Risk Management has not been a part of the past because risk management issues were isolated to factions of the Organization. To keep Executive Leadership engaged in Risk Management activities execute a Risk Management Framework (NIST) which involves all Tiers 1-3(Organization., Mission-Business Processes, & Information Systems) in the Risk Management Process/Commuincations. Two-way Communication... more »

Voting

4 votes
Public Input
kudos icon +

6. Solving the Talent Search

Challenging Internships in Cybersecurity

Talented students, particularly many female and minority students are unaware of the career opportunities available to them in cybersecurity. The government and CISO/CIO partner organizations can help colleges and universities grow the talent pool for qualified cybersecurity professionals by creating and publicizing internship opportunities for students. Presently most internships in cybersecurity recruit junior and... more »

Voting

4 votes
Public Input
kudos icon +

6. Solving the Talent Search

Enhance the Cyber Talent Pipeline Through Early Outreach

Additional assistance can be provided through outreach initiatives that generate interest in this career field far before individuals are ready to seek employment. Providing training and certification in cyber tools and sponsoring cyber competitions, in addition to cyber ‘camps’ for students at the middle and high school level, are great ways to engage youth in this discipline and can connect the dots between success... more »

Voting

4 votes
Public Input
kudos icon +

1. Addressing Cyber Fundamentals

Director

Currently agencies self assess their cybersecurity posture. OMB should create a assessment standard and have an independent assessment board of government and industry SME's assess each agency, via a framework such as the one used for FEDRAMP.

Voting

4 votes
Public Input
kudos icon +

2. Business Initiated Vulnerabilities

Create Gov Wide "Security Maven" Program for Gov IT Developers

Walmart achieved a 92% reduction in security defects by creating a "Security Maven" role to drive security best practices into their software development teams that greatly outnumbered their security teams.

IT security in government is typically organized as a silo focused on protecting production systems. A government-wide security maven program would help tear down the existing" expertise" and "contractual" barriers... more »

Voting

4 votes
Public Input
kudos icon +

6. Solving the Talent Search

Understanding cybersecurity talent requirements

The first step in tackling the cybersecurity talent search is in develop a better understanding of the competencies required for effective, and proactive, cyberdefense and intrusion response. With the rapid change in technologies and tactics for exploitation and intrusion, defining the required talent is a tall order. As such, new approaches for rapid creation, expansion or tailoring of job series will be needed so... more »

Voting

3 votes
Public Input
kudos icon +

6. Solving the Talent Search

Cybersecurity Interns

I like the idea of cybersecurity interns next summer , but I couldn't figure out how to comment on it.

I think the government needs to realize that there are big bucks to be made in the private sector if you are really good at this, and so they can't expect people to stay in Government. The Government should be prepared to depend on private sector contractors, who can do this work well.

However, experience in other... more »

Voting

3 votes
Public Input
kudos icon +

6. Solving the Talent Search

Improve the Taxonomy and Structure of How Cyber Work is Managed

Getting the highest return on investments in superior talent will require investing in creating and sustaining superior working conditions to ensure the best use of that talent. Accordingly, the creation of the work environment that allow government to optimally organize and manage the cybersecurity work and the talent that will perform that work, requires that government develop a taxonomy of cybersecurity functions... more »

Voting

3 votes
Public Input