Recently I attended the CISQ Cyber Resilience Summit, my first event in Washington, DC as Executive Director of CISQ.
The event started with a keynote from Bob Kolasky, Assistant Director of the National Risk Management Center (NRMC) with the Cybersecurity and Infrastructure Security Agency (CISA). Bob started by explaining the main priorities for NRMC which include federal network security, election security, industrial control security, and supply chain security.
Bob went on to talk about the work of the agency in securing the nation’s supply chain which has become the attack vector of choice for many US adversaries. With nine major categories of ICT supply chain threats identified, and over a hundred potential attack scenarios, the NRMC has taken a multifaceted approach; focusing on information sharing, threat evaluation mitigation, and stressing the need to purchase from authorised OEM and suppliers.
One of the key takeaways for me is the need to build cyber resilience into the network and related infrastructure at source, especially as we deploy new 5G technology. We need to remain ever vigilant as attack vectors change and adversaries probe the supply chain and network for potential weaknesses.
Next at the event I had the honour to introduce Dr. Barry Boehm, truly one of the pioneers of software engineering and one my personal heroes and inspirations. Dr. Boehm addressed the need to not only focus on functional requirements but also resilience, maintainability and reliability - those software characteristics often tagged as “non-functional requirements” and often seen as an afterthought. Dr. Boehm’s advice is to follow the money and focus on maintenance and legacy costs to gain the attention of relevant business capability owners.
Dr. Boehm went on to highlight the problem with over-optimism regarding programme delivery and costs – the “Conspiracy of Optimism.” This is an effect I saw personally when reviewing business cases. There may be individual and institutionalised bias towards the lower range regarding cost and schedule, either because nobody wants to be seen as negative or they have already invested considerable effort in the programme.
Another anti-pattern Dr. Boehm highlighted was over-concern with the voice of the customer, leading to compromises and poor architectural and design decisions and in some cases outright programme failure. So, it appears the old adage the customer is always right, is wrong - in some cases.
It would take too long for me to capture all of Dr. Boehm’s wisdom, so I recommend downloading the presentation.
We were fortunate to have Isaac Montgomery at the event to talk about Scale Agile Framework (SAFe), the de facto agile scaling approach within many federal agencies. With the release of SAFe 5.0 this was a very timely presentation. The Q&A session was interesting as it helped to focus on the issues of managing non-functional requirements, making sure they are visible on the backlog or as strategic themes, and the need to stay on top of technical debt from the get-go, which means making it visible to relevant stakeholders. Isaac’s presentation can be found here.
The Titans of Cyber panel had some big names with Luke McCormack, former CIO, Department of Homeland Security chairing the panel with speakers Margie Graves, Federal Deputy CIO, OMB; Keith Nakasone, Deputy Assistant Commissioner, Acquisition Management, GSA; and, David Powner, Director of Strategic Engagement and Partnerships, MITRE.
A couple of key takeaways from the panel are to treat data strategically, not just regarding use but security. As we harden the networks, the data that flows through them is becoming a new attack vector, and poorly encrypted data is vulnerable not just in legacy systems but also in the cloud.
We also need to improve reporting so mechanisms like the Federal Information Technology Acquisition Reform Act (FITARA) Scorecard provide insight on network and application vulnerability, and we should do so against recognised standards.
Victoria Yan Pillitteri presented on NIST SP 800-160, Developing Cyber Resilient Systems: A Systems Security Engineering Approach. This is a framework I have a lot of respect for as it offers practical advice regarding risk management and cyber security beyond the standard advice, focusing more on the end-to-end process. Victoria did a great job of explaining its major components and relationship to other NIST standards. See her presentation.
Bobby Stempfley, Director of SEI's CERT Division, started her session on The Future of Cybersecurity with a profound statement that we as IT professionals operate in the past, present and future; dealing with legacy systems, current vulnerabilities, and future risks and uncertainties. That may seem to be an obvious statement, but I think it goes a long way to explain the complexity of our industry. Bobby‘s advice on AI and the need for an integrated engineering process is something the industry needs to act on. The session also highlighted a number of industry paradoxes: Zero-trust networks increase the need for trust in data, the death of the boundary created a boundary explosion, and smarter software requires safer and more secure infrastructure. See her presentation.
Katie Arrington, Special Assistant for Cybersecurity in the Office of the Under Secretary of Defense for Acquisition and Sustainment, keynoted on the department’s Cybersecurity Maturity Model Certification (CMMC). It was very motivational. Katie pointed out that government programs often neglect cybersecurity or underestimate the effort and cost. There’s also the need to get small businesses to be more diligent and proactive regarding system hygiene and security. CMMC will incorporate tools to conduct audits, collect metrics, and inform risk mitigation. Additionally, it will outsource assessments to independent 3rd party organizations. I am sure CMMC will be a topic we will cover in the future. See her slides.
The Regulators Roundtable with Dr. Bill Curtis, Dr. Seth Carmody, Timothy Noonan, and Maria T. Vullo -- another group of big hitters -- focused on cyber risk measurement and how cyber policy is set and implemented in the industries they regulate. A recurring theme of the panel was the limits of the regulators and the thin line between providing industry oversight and becoming prescriptive. Supply chain security was mentioned as an area regulators and auditors need to focus on, which I found timely given CISQ’s work on Software Bill of Materials (SBOM).
Finally, Tony Scott, Managing Partner, RIDGE-LANE Managing Partners and former Federal CIO, wrapped up the day. Tony warned of the dangers of overplaying cybersecurity to the point we become numb to the message. The convergence of cyber and privacy was another area Tony said will cause both private and public sectors to rethink their security strategy. Also, look forward to seeing the BIMI logo on emails as a sign of sender authenticity.
There was one other presentation on reducing risk with suppliers, but if you like to know more about that drop me a line or attend the webinar on October 30th, Quality in the Digital Age – The Role of the SI in the Software Supply Chain.
All that’s left for me to do is thank all the presenters, and Tony Scott and Luke McCormack, for going above and beyond in making the event a success. Also thanks to Tracie Berardi, CISQ Program Manager, who brought it all together.