Senior Security Architect for the General Services Administration’s (GSA’s) Technology Transformation Services (TTS) and Centers of Excellence (CoE) Dan Jacobs wants agencies and industry alike to heed the lessons GSA has learned from experience and the Black Hat conference over the past 16 years when it comes to securely implementing cloud.
Speaking today at a luncheon hosted by Symantec, Jacobs identified four key lessons for cybersecurity and cloud solutions. He mentioned that it was critically important to work with partners and consider all objectives in the cloud journey.
The first lesson for GSA was that sometimes the best security solution isn’t adding more product to solve the problem. Jacobs offered that it could be any number of reasons that aren’t technical, including workforce modernization or training, but “if you have 125 products in order to score an [authority to operate] for your enterprise, maybe 126 isn’t what’s going to get you there.”
Along those lines, Jacobs said that another lesson for GSA was that human problems can occur, where an agency may have originally thought it was a technology problem. Agencies have to be equipped to deal with human error or “we’re going to continue to bang our head against the wall trying to figure out a way forward,” Jacobs says.
Another lesson GSA learned over the years is to encourage industry and agencies to cooperate to be effective for production—a lesson Jacobs repeated. It wants more agencies to consider bug bounty programs and to learn from one another to secure cloud efforts.
Lastly, GSA wants more agencies and companies to consider bug bounty programs and other means of incentivizing work.
“What we’re saying is that I’m going to hire thousands and thousands and thousands of security researchers to take a look at my stuff to deliver vulnerabilities to me, and I’m going to pay them what I think those vulnerabilities are worth,” Jacobs said. “Ladies and gentlemen, you are not going to find a whole lot of other opportunities where you get to decide how much you pay thousands of security researchers to work persistently for you.”