by clicking on the page. A slider will appear, allowing you to adjust your zoom level. Return to the original size by clicking on the page again.
the page around when zoomed in by dragging it.
the zoom using the slider on the top right.
by clicking on the zoomed-in page.
by entering text in the search field and click on "In This Issue" or "All Issues" to search the current issue or the archive of back issues respectively.
by clicking on thumbnails to select pages, and then press the print button.
this publication and page.
displays a table of sections with thumbnails and descriptions.
displays thumbnails of every page in the issue. Click on a page to jump.
allows you to browse through every available issue.
GCN : April 2014
QRisk management is an oft-used phrase in cybersecurity today. What does it mean to you, and how well do agencies understand it and practice it? A In our business, we manage mission critical systems for our customers. As we see it, risk management is the ability to balance key elements of risk tolerance: the cost to implement security with the ability to effectively execute the mission. This is a delicate balance that can only be achieved by partnering with the customer to develop a deep understanding of their mission. We ve been doing this for more than 30 years, and it s this approach that helps enable a meaningful enterprise risk assessment. To help customers and our security practitioners develop this understanding, we created the Fan , a layered cyber defense approach that assesses risk at each level of the IT enterprise -- the perimeter, network, applications, data and client. The Fan allows us to be agnostic to platform and architecture. Each agency has different IT architectures and missions, and they think about risk differently. This approach allows us to leverage a common view of the enterprise and to identify where risk exists in each customer s architecture. Understanding your complete risk posture is essential. It is the difference between being proactive and in a good defensive position, versus reactive. QThe relationship between government and industry is seen as crucial to progress in cybersecurity. Where does it stand now, and does it still need to improve? How? AThe relationship is good, and it s a critical one. This partnership is constantly improving through programs like the Defense Industrial Base cyber pilot. The cyber threat is still a new phenomenon to most, and the ability for agencies to implement even basic cybersecurity practices differs a lot. As we work collectively to get in front of the threat, building cybersecurity early in the acquisition lifecycle is imperative. Creating core cybersecurity criteria for evaluation will be important to establish within future acquisition documents. One area that still needs improvement is securing the supply chain. Government and industry need to work together to nd better ways to leverage COTS in secure environments without compromising security. The NIST cyber framework is a great step forward and very useful for communicating how to manage risk by establishing a detection baseline and aggregating and correlating the event data. QWhat's the state of the government cybersecurity workforce? How can it be improved? AThe demand for cybersecurity experts far exceeds the availability of this critical talent. That s why we have focused so much effort and investment into enhancing today s workforce and in developing tomorrow s talent. We created our own training program called Cyber Academy, a cyber education continuum for both internal and external customers. We also know the importance of reaching down to the middle and high school levels to get students excited about a career in STEM and cybersecurity. To that end, we re entering our fourth year as presenting sponsor of the Air Force Association s CyberPatriot program, the national youth cyber defense competition. We also partner with universities across the country to develop the cyber workforce. This includes funding the nation s rst cybersecurity honors program, the Advanced Cybersecurity Experience for Students at the University of Maryland, and the Cyber Scholars program and the Cync incubator at the University of Maryland, Baltimore County. We also created the Cybersecurity Research Consortium, which includes Carnegie Mellon, Massachusetts Institute of Technology, Purdue and the University of Southern California, and opened a cyber lab at Cal Poly San Luis Obispo. We see our customers extending their training programs in cyber, and the workforce is growing. We also see the military academies offering cyber degrees. In total, there is much to do but I see the ranks of cyber-educated professionals increasing and ready to take on this critically important mission.