, ,

My Cup of IT: Semper Eadem

By Steve O’Keeffe – http://bit.ly/xpzZwI

What do Federal cyber security chiefs and Queen Elizabeth I have in common? The guts and determination to fend off an armada of invaders – perhaps? Despite Federal CISOs’ fortitude and dedication, I’d suggest that it’s England’s warrior queen’s motto that really unites the two. “Semper Eadem” – always the same. That constancy, a virtue for the monarch, is, I regret, a curse for our brave CISOs. You see, the problem in Federal cyber security is that nothing changes…
Looking beyond Semper Eadem for Uncle Sam’s cyber security coat of arms, I’d nominate “De Plagis Usque Meliores Animos Colligerent” – the beatings will continue until morale improves – as a fitting motto.There’s little glory or excitement for those manning – or as Bessy would underline, womaning – the cyber barricades. Today, CISOs are even denied the gallows angst of the FISMA scorecards – perhaps that’s one of the few blessings? Since Tom Davis jumped off the Hill, there’s no parent waiting at home for the report card.
Does it need to be this way? Is there no way to improve the lot of CISOs – and critically to improve government cyber security outcomes? Well, I’ve spent the last six months visiting with Federal cyber security royalty to get real leaders’ takes on what we might do to change the failing equation.
Here’s the top 10 CISO wish list for 2012:
  1. No No: Stop using security as the fall guy for blocking IT change. Security does not stop cloud, mobility, or telework. Oh, and by the way, can anybody understand FedRAMP? Can anybody show me a company that’s signed up to be a FedRAMP Third-Party Assessment Organization – 3PAO?
  2. Secure ID: How about establishing minimum credentials for Federal cyber security professionals – and yes, that includes CISOs.
  3. RoI PDQ: Why doesn’t the Federal IT security community work together to establish a common security RoI framework to make the business case for funding? Yes, we’re talking credible dollar and cent values for CFOs.
  4. Pain Threshold: We need to realize that tech is moving fast. Government can’t afford to design for the worst case any more – and, by the time we deliver, it’s irrelevant. We need to prioritize vulnerabilities and have the integrity to stand behind real-world, cost-benefit decisions – even when things go wrong.
  5. Good, Bad, Ugly: Why not build a clearinghouse where Feds can rate their experience with tools? What works, what doesn’t, what’s worth the jingle, and what was your experience working with the vendor?
  6. Pass/Fail: Here’s a third-rail suggestion – but it makes a lot of sense. Why not set up an annual penetration test for all agencies? If agencies fail, why not move the budget and security function to a shared service provider in government?
  7. Take a CIP: What’s next for HSPD-7 and PDD-63? Who’s got the ball? Are we making any progress? Will it take a foreign Stuxnet to wake us up?
  8. In the Clear: Why not establish common security clearances for civilian agencies? What say you OPM?
  9. Better by Design: Why doesn’t the government use its purchasing power to drive industry to develop better, more secure systems? Security needs to be embedded below the operating system in every device – and we need common standards for a united defense. And, if government specifies security requirements, it needs to only buy products that pass.
  10. Dialogue > Monologue on Standards: NIST publications are living documents. We need to provide more opportunity for feedback and input from Federal security professionals – let’s start with NIST’s new version of 800.53, due to be announced late in February.

The net here, the word from Federal cyber security leaders – the security challenge is not insurmountable. We need to chew it off in manageable bites. It’s time to separate the 2012 problems from the 2030 ones – so that we can implement meaningful, practical solutions. And, as we size up the challenges ahead, let’s not forget those in the rear view mirror. The truth is we have a pile of 1992 problems that we have already solved. The challenge, because agencies are not utilizing SOP, is that those ‘90’s issues continue to rear their ugly heads.

The overwhelming takeaway from spending time in one-on-one dialogue with Federal CISOs – it’s high time for a public-private forum for Federal cyber security. Not another conference where people talk at the audience – a real operators’ exchange. That’s why MeriTalk is starting a new Cyber Security Exchange – http://meritalk.com/cybersecurityexchange.php. Our first session is a breakfast meeting on March 21 – http://meritalk.com/cybersecurityexchange-events-bimonthly.php. CISOs, the Hill, GAO, and industry. We’re focused on change. Nos postulo muto…

Leave a Comment

Leave a comment

Leave a Reply