by clicking on the page. A slider will appear, allowing you to adjust your zoom level. Return to the original size by clicking on the page again.
the page around when zoomed in by dragging it.
the zoom using the slider on the top right.
by clicking on the zoomed-in page.
by entering text in the search field and click on "In This Issue" or "All Issues" to search the current issue or the archive of back issues respectively.
by clicking on thumbnails to select pages, and then press the print button.
this publication and page.
displays a table of sections with thumbnails and descriptions.
displays thumbnails of every page in the issue. Click on a page to jump.
allows you to browse through every available issue.
FCW : November and December 2016
Government and industry must work together to build partnerships that enable trusted information sharing and joint capability development. tions such as the Defense Advanced Research Projects Agency, the Intelligence Advanced Research Projects Activity and the Homeland Security Advanced Research Projects Agency can work alongside investment strategies coming out of the venture capital community and public/private research partnerships such as In-Q-Tel, following the research lead set by industry. Forum participants also identified other levers for achieving actionable cybersecurity: • Enable the mission and support mission users Any cyber strategy must balance mission enablement with protection. Government provides key information and services every day over open networks; actionable cybersecurity approaches should enable mission delivery and not impede operations, lest the latter result in workarounds that further weaken protections. Different agencies will address the risk balance in different ways. The delivery of social services, for example, will result in a set of actions that allow individuals to learn about, apply for and receive benefits, while the protection of taxpayer information requires strict attention to security and privacy for sensitive personal information. Accordingly, the delivery of practical cyber solutions must account for how an agency’s culture affects its employees, beneficiaries and stakeholders. Simple cyber solutions can be implemented with greater success than those that rely on complexity. Enterprises need to take human factors and usability into consideration when determining cybersecurity solutions, which can drive basic building blocks that help address the majority of vulnerabilities created by inadequate practice of basic cyber hygiene, such as improper response to phishing email messages. That inadvertent insider threat can emanate from all levels of an organization — entry-level staff, C-suite leaders and everyone in between. More advanced solutions must be adapted based on employees’ competency to create and maintain technical approaches. Elegant technologies that cannot be implemented well will not be cost-effective. • Build security into development Participants agreed that, in general, software developers need training in how to build security into applications and increase their cyber analysis capabilities. Most development focuses on maximizing usability and ser- vice delivery, with protection bolted on after the fact. Making security central to the application life cycle can significantly reduce basic software vulnerabilities, and development sandboxes can help developers learn how to bolster protections for the next software release. Conversely, when adopting open-source software, enterprises need to assess vulnerabilities in the supply chain behind that application suite. Building security at the data level can complement technical approaches at the systems level, especially in protecting personally identifiable information and other sensitive data. There is a growing movement around the development of resilient solutions that learn about threat and response patterns and can address a breach immediately without waiting for human intervention but while providing notices about such actions as a check for system overseers. • Embrace governance frameworks that encourage collective action Governance frameworks that promote sound decision-making can significantly enhance an organization’s capacity to provide for cybersecurity. Through leadership and collective action, enterprises can create communities of practice that connect experts with mentees. Participants also stressed the need to “celebrate the security hero.” Just as law enforcement officers receive commendations for outstanding performance in combating crime in the streets, cyber professionals should be recognized for exemplary performance in combating cybercrime. As the above points demonstrate, CIOs and IT leaders in government and industry can benefit greatly from understanding and implementing effective practices from each sector. What else should be on the table for future discussions? Please share your thoughts by emailing firstname.lastname@example.org or messaging @FCWnow on Twitter. n Dan Chenok is executive director of the IBM Center for the Business of Government. November/December 2016 FCW.COM 25
January and February 2017