By Steve O’Keeffe – http://bit.ly/xpzZwI
- No No: Stop using security as the fall guy for blocking IT change. Security does not stop cloud, mobility, or telework. Oh, and by the way, can anybody understand FedRAMP? Can anybody show me a company that’s signed up to be a FedRAMP Third-Party Assessment Organization – 3PAO?
- Secure ID: How about establishing minimum credentials for Federal cyber security professionals – and yes, that includes CISOs.
- RoI PDQ: Why doesn’t the Federal IT security community work together to establish a common security RoI framework to make the business case for funding? Yes, we’re talking credible dollar and cent values for CFOs.
- Pain Threshold: We need to realize that tech is moving fast. Government can’t afford to design for the worst case any more – and, by the time we deliver, it’s irrelevant. We need to prioritize vulnerabilities and have the integrity to stand behind real-world, cost-benefit decisions – even when things go wrong.
- Good, Bad, Ugly: Why not build a clearinghouse where Feds can rate their experience with tools? What works, what doesn’t, what’s worth the jingle, and what was your experience working with the vendor?
- Pass/Fail: Here’s a third-rail suggestion – but it makes a lot of sense. Why not set up an annual penetration test for all agencies? If agencies fail, why not move the budget and security function to a shared service provider in government?
- Take a CIP: What’s next for HSPD-7 and PDD-63? Who’s got the ball? Are we making any progress? Will it take a foreign Stuxnet to wake us up?
- In the Clear: Why not establish common security clearances for civilian agencies? What say you OPM?
- Better by Design: Why doesn’t the government use its purchasing power to drive industry to develop better, more secure systems? Security needs to be embedded below the operating system in every device – and we need common standards for a united defense. And, if government specifies security requirements, it needs to only buy products that pass.
- Dialogue > Monologue on Standards: NIST publications are living documents. We need to provide more opportunity for feedback and input from Federal security professionals – let’s start with NIST’s new version of 800.53, due to be announced late in February.
The net here, the word from Federal cyber security leaders – the security challenge is not insurmountable. We need to chew it off in manageable bites. It’s time to separate the 2012 problems from the 2030 ones – so that we can implement meaningful, practical solutions. And, as we size up the challenges ahead, let’s not forget those in the rear view mirror. The truth is we have a pile of 1992 problems that we have already solved. The challenge, because agencies are not utilizing SOP, is that those ‘90’s issues continue to rear their ugly heads.