by clicking on the page. A slider will appear, allowing you to adjust your zoom level. Return to the original size by clicking on the page again.
the page around when zoomed in by dragging it.
the zoom using the slider on the top right.
by clicking on the zoomed-in page.
by entering text in the search field and click on "In This Issue" or "All Issues" to search the current issue or the archive of back issues respectively.
by clicking on thumbnails to select pages, and then press the print button.
this publication and page.
displays a table of sections with thumbnails and descriptions.
displays thumbnails of every page in the issue. Click on a page to jump.
allows you to browse through every available issue.
FCW : February 2015
DAVE McCLURE is chief strategist at Veris Group. Commentary | DAVE M c CLURE In 2014, industry and govern- ment were rocked by major cyber breaches and attacks that high- lighted continued vulnerabilities in security management. As a result, corporate and agency executives are beginning to pay attention to the business and customer impact rather than assuming security is the narrow and exclusive technical domain of chief information secu- rity officers and CIOs. That change in attitude comes as IT is growing ever more pervasive via the interconnected systems, devices, monitors and sensors that make up the Internet of Things. New business solutions, emerging interactive technologies, innova- tive data aggregation and delivery options, and hyperscale infrastruc- ture technology all require robust information assurance and privacy protections. Congress, meanwhile, has passed several reform bills that are moving federal cybersecurity in a similar direction, and no less than eight committees and subcommit- tees in the House and Senate have announced intentions to hold cyber- security-related oversight hearings this year. Congressional oversight is criti- cal to ensuring transparency and accountability for compliance with new legislation. So what can Con- gress do to more effectively oversee implementation of major cybersecu- rity reforms? Let me offer three sug- gestions based on my experience working for and reporting to con- gressional oversight committees: 1. Focus on fact-based discus- sions. Oversight is most effective when committees ask agencies for facts that demonstrate how cybersecurity dollars are producing tangible improvements. How have legal, regulatory, economic or mis- sion impact risks been mitigated? Can the agency demonstrate that it is implementing security programs in a cost-effective manner? What is being done to simplify security insights to increase responsiveness and resiliency to changing threats? 2. Learn from leading best practices and avoid past mis- takes. Security is not a one-size- fits-all affair. There are operational, technical and managerial controls that apply to any effective security program, but risk management frameworks should result in risk profiles that vary across different agency missions. Furthermore, with so much secu- rity now outsourced as managed services, clear contractor account- ability for performance is essential. Congress should demand this focus from audit groups and the reports they issue to oversight commit- tees. With governmentwide buy-in from the executive and legislative branches on a baseline set of con- trols (like the FedRAMP controls for cloud solutions), audits can become less of a guessing game. 3. Seek consensus on how to prioritize corrective security actions. At the Department of Vet- erans Affairs, the inspector general reported some 6,000 security risk findings and made 35 recommenda- tions as part of the agency’s report- ing under the Federal Information Security Management Act. But how can VA or any agency possibly address the thousands of findings and related recommenda- tions? What is attributable to lack of management support versus inad- equate budget resources or poor budgeting practices? Are resources within existing budgets available to shore up weaknesses, and if so, how can they be prioritized? Given the vast array of policy, process, managerial, technical and operational demands that are in play, at least some degree of consen- sus on risk-based priorities is para- mount. Agency leaders, inspectors general and the Office of Manage- ment and Budget all have important parts to play, but Congress can have a special role in ensuring that viable security solutions are put in place. n How Congress can make cyber reforms real Congressional oversight is essential to ensuring compliance with cybersecurity legislation. Here are three ways lawmakers can improve that oversight. Oversight is most effective when committees ask agencies for facts that demonstrate how cybersecurity dollars are producing tangible improvements. February 2015 FCW.COM 15 0215fcw_015.indd 15 1/27/15 9:36 AM
March 15, 2015