MeriTalk - Where America Talks Government
Steve O'Keeffe

Delicious Digg StumbleUpon
View All Entries
Popular Tags
Posted: 1/25/2012 - 6 comment(s) [ Comment ] - 0 trackback(s) [ Trackback ]

Semper Eadem

What do Federal cyber security chiefs and Queen Elizabeth I have in common? The guts and determination to fend off an armada of invaders - perhaps? Despite Federal CISOs’ fortitude and dedication, I’d suggest that it’s England’s warrior queen's motto that really unites the two. “Semper Eadem” - always the same. That constancy, a virtue for the monarch, is, I regret, a curse for our brave CISOs. You see, the problem in Federal cyber security is that nothing changes...
Looking beyond Semper Eadem for Uncle Sam’s cyber security coat of arms, I’d nominate “De Plagis Usque Meliores Animos Colligerent” - the beatings will continue until morale improves - as a fitting motto.There’s little glory or excitement for those manning - or as Bessy would underline, womaning - the cyber barricades. Today, CISOs are even denied the gallows angst of the FISMA scorecards - perhaps that’s one of the few blessings? Since Tom Davis jumped off the Hill, there's no parent waiting at home for the report card.
Does it need to be this way? Is there no way to improve the lot of CISOs - and critically to improve government cyber security outcomes? Well, I’ve spent the last six months visiting with Federal cyber security royalty to get real leaders’ takes on what we might do to change the failing equation.
Here’s the top 10 CISO wish list for 2012:
  1. No No: Stop using security as the fall guy for blocking IT change. Security does not stop cloud, mobility, or telework. Oh, and by the way, can anybody understand FedRAMP? Can anybody show me a company that’s signed up to be a FedRAMP Third-Party Assessment Organization - 3PAO?
  2. Secure ID: How about establishing minimum credentials for Federal cyber security professionals - and yes, that includes CISOs.
  3. RoI PDQ: Why doesn’t the Federal IT security community work together to establish a common security RoI framework to make the business case for funding? Yes, we’re talking credible dollar and cent values for CFOs.
  4. Pain Threshold: We need to realize that tech is moving fast. Government can't afford to design for the worst case any more - and, by the time we deliver, it’s irrelevant. We need to prioritize vulnerabilities and have the integrity to stand behind real-world, cost-benefit decisions - even when things go wrong. 
  5. Good, Bad, Ugly: Why not build a clearinghouse where Feds can rate their experience with tools? What works, what doesn’t, what’s worth the jingle, and what was your experience working with the vendor? 
  6. Pass/Fail: Here’s a third-rail suggestion - but it makes a lot of sense. Why not set up an annual penetration test for all agencies? If agencies fail, why not move the budget and security function to a shared service provider in government?
  7. Take a CIP: What’s next for HSPD-7 and PDD-63? Who’s got the ball? Are we making any progress? Will it take a foreign Stuxnet to wake us up?
  8. In the Clear: Why not establish common security clearances for civilian agencies? What say you OPM?
  9. Better by Design: Why doesn’t the government use its purchasing power to drive industry to develop better, more secure systems? Security needs to be embedded below the operating system in every device - and we need common standards for a united defense.  And, if government specifies security requirements, it needs to only buy products that pass.
  10. Dialogue > Monologue on Standards: NIST publications are living documents.  We need to provide more opportunity for feedback and input from Federal security professionals - let’s start with NIST’s new version of 800.53, due to be announced late in February.

The net here, the word from Federal cyber security leaders - the security challenge is not insurmountable. We need to chew it off in manageable bites. It’s time to separate the 2012 problems from the 2030 ones - so that we can implement meaningful, practical solutions. And, as we size up the challenges ahead, let’s not forget those in the rear view mirror. The truth is we have a pile of 1992 problems that we have already solved. The challenge, because agencies are not utilizing SOP, is that those ‘90's issues continue to rear their ugly heads. 

The overwhelming takeaway from spending time in one-on-one dialogue with Federal CISOs - it’s high time for a public-private forum for Federal cyber security. Not another conference where people talk at the audience - a real operators’ exchange. That’s why MeriTalk is starting a new Cyber Security Exchange - Our first session is a breakfast meeting on March 21 - CISOs, the Hill, GAO, and industry. We’re focused on change. Nos postulo muto...

Opt in today to keep stirring IT up.

Posted: 1/9/2012 - 7 comment(s) [ Comment ] - 0 trackback(s) [ Trackback ]

Opt in below to keep stirring IT up.

Small Data on Big Data

If you’re like me - can’t tell the difference between a zettabyte and an overbite - this Big Data stuff may be more than you will want to bite off. That said, brace yourself - Big Data’s the new IT buzz phrase coming to the Beltway. And yes, expect to be beaten bloody about the ears with it this coming year. Expect the loudest noises from the business intelligence - Oracle, IBM, SAS, SAP - and storage vendors - EMC, NetApp, HP, IBM, and Hitachi. But, on the upside, Big Data may give us some relief from the Cloud chorus.
So, what’s Big Data and why should we care? Here it goes, it’s about new insight from a lot of data - think oceans, not tea cups. That data’s often in different formats - text, voice, video, social media, etc. Think fast, huge, complex information super collision and real-time analytics - looking for new patterns. So what’s the value? Well, consider medical research, fraud detection, terrorist tracking, cyber security, C4ISR. It’s about identifying cause and effect, using historical data to predict the future, making better decisions quicker, and enhancing efficiency. Sound like something Uncle Sam could use?
So what’s driving Big Data and why now? Well, first, the quantity of available data to collide is growing exponentially. There are sensors everywhere around us - from software logs to mobile phones to CCTV to Facebook to drones. Each day some 2.5 quintillion bytes of data are created - that’s a lot of dentures. It blows my mind to think that 90 percent of global information was created since 2010. Giant strides in processing, storage, networking, and analytics - advances that dwarf Moore's Law - are unlocking these new predictive models.
So, here’s your chance to get ahead of the crowd. Get brainy on Big Data. Two problems in government. First, there’s no OMB mandate for agencies to do this “Giant Information” - no GI bill if you will. And you might ask, aren’t agencies already busy chasing their tails on Cloud, Data Center Consolidation, and Cyber? With their plates so full, how will agencies find money for this new IT fad? Second, because this is new, there’s little information on who’s doing Big Data in government - hence Small Data on Big Data. If you know any government Big Data Big Brains, we’d like an introduction.

Opt in today to keep stirring IT up.