MeriTalk - Where America Talks Government
Steve O'Keeffe

Delicious Digg StumbleUpon
View All Entries
Popular Tags
Posted: 2/21/2013 - 5 comment(s) [ Comment ] - 0 trackback(s) [ Trackback ]


Google Cars and Continuous Monitoring
If I make my living driving - and as the son of a London cab driver, this hits close to home - I've got a weather eye in the rearview mirror watching Google changing lanes. Will Google's self-driving cars push me off the road?
But if automation's bad for the automated, it promises huge dividends for the rest of us. And, in some cases, the automated are celebrating the changes. Enter DHS Continuous Monitoring - the $6 billion cyber security juggernaut that promises to revoke driving privileges for bad guys on the information super highway. Many CIOs and CISOs see CM as a way to turn their jalopies into bat mobiles.
Less is More
FISMA's FUBAR ā€“ nobody's arguing that one. Spending one in four cyber security dollars on a 300-page system audit every three years doesn't cut it in a world where threats change every minute. There are 1,100 controls in FISMA - but that doesn't mean we need to test every system against every control. Ron Ross and the NIST team never intended that. The truth of the matter, we need to cut the cholesterol to boost security.
Policy Priority
Most importantly, this is not about technology - it's about a policy shift. We need to explain to the Hill, IGs, and OMB, that it's not about doing more with less - it's about doing less better, and doing it all the time.
Cowboy Up
If we're to realize a policy shift, CIOs and CISOs need to pull together on the same lariat. The whole community needs to explain to leadership that CIOs and CISOs must be empowered to make executive decisions about the right security controls to implement. And - I know this sounds crazy in government - which controls to let out of the corral. To be clear, this is not about slacking off on security. IT needs to demonstrate rigor in making the case for what to do and what not to do. Execs need to take real responsibility and back decisions with hard data. To succeed, SANS Institute and other think tanks tell us we need to focus on 20-30 common controls - and implement them across government.
So, which controls make it to the rodeo? This is a good time to introduce the old nutshell - RoI of cyber security. At the January 31 Cyber Security Exchange meeting, CISOs told us 80-90 percent of security breaches are associated with 5-10 percent of controls. So how about we let agency cyber defenders make the call about where and how to defend - and hold them accountable for those decisions? Isn't that what executive means?
Conspiracy Theory?
Never fear, Iā€™m not talking about Roswell or JFK. In that same January Cyber Security Exchange meeting we heard that 80-90 percent of the cyber security vulnerabilities at Federal agencies are common across respective agencies' cyber security audits. But, tragically there's little or no information sharing among agencies. Ironically, Federal agencies are failing in cyber because they're failing to conspire. Each agency is collecting its own cyber vulnerability and threat information, but failing to share that data with other agencies - either because they're afraid of looking weak or because the data's trapped in proprietary formats or both.
It's time for Feds to open up to one another - and further to set up a machine-readable clearing house for cyber security intelligence. And, yes, there's a reference back to the Google cars ā€“ if alerts were machine readable, humdrum updates could be automated, leaving expensive humans to focus on higher value, analytic tasks.
Call Shotgun?
A big pour this week - the cup's flowing over into the saucer. John Streufert and Continuous Monitoring promise much needed new efficiency. But the change is not simply about new technology - it's about new thinking and IT empowerment as well as accountability. The question, is Uncle Sam up for riding shotgun? Afraid that's not a question you can Google.

Opt in today to keep stirring IT up.

Back to Steve O'Keeffe's Articles