FCWPerspectives
Such experts are in short supply,
however — and they generally want to stick with technology, not acquisitions and life cycle costs. “I know in our case we can’t afford to have a person in the room like that every time,” one par- ticipant from a smaller agency said, as several others nodded in agreement.
Another executive, however, said agencies could turn to federally funded research and development centers for those in-the-room experts. “They’ve got the expertise and the competency and can be free of the conflicts of interest” that vendors might bring, the official said.
Also, many agencies have more expertise than they might think, said one official who has worked at multiple departments. “It’s very rare that we show up somewhere and no one has the answers,” that official said. “It’s just that the person who has the answers is usually someone who is either not being listened to or is not empowered. So we can usually find those pockets of competence.”
Time to create a crisis?
One participant said some agencies won’t take appropriate steps until an incident forces them to and that perhaps it would be better to create those events on a manageable scale. “I hate to say it, but the reason DHS was formed was because planes flew into buildings, right?”
Such a provocation could take the form of unannounced penetration testing, the official said, or even the introduction of low-level problems into an agency’s systems to force a response — the cyber equivalent of an inoculation.
“A lot of [penetration testing] programs essentially get neutered in effectiveness,” the official said, because the resulting reports are easy to ignore. “So now you have to make a hard choice: Do you want to kind of take the gloves off and let real damage
be caused? Because once there’s real danger, sometimes the crisis actually does cause change. But doing that is obviously not easy.”
Most of the group was uncomfort- able with government actively hacking itself. “I would rather not think that we’re so good at crisis management that we need a crisis to manage,” one said. “I’m hoping that we just natural- ly say, ‘This is what we’ve got to do’ because we’re cognizant of the con- sequences if we don’t.”
Learning to love risk management
Being cognizant of the consequences and acting accordingly is the bottom line, the group agreed. And if only one guidance matters, it’s the Risk Manage- ment Framework.
Oversight can complicate agencies’ efforts to adopt the RMF, several noted, because the Government Accountabil- ity Office and many inspectors gener- al have not fully squared it with their auditing approaches. But framing the conversation in terms of risk can help with other potential friction points — such as agency financial officers.
One official who spent years butt- ing heads with the finance team finally realized that his number-crunching col- leagues were simply managing a dif- ferent category of risk — a revelation that “was really useful in changing my communication with that group.”
“Honor their processes,” the official advised. “Tell them you’re doing it but your way, in your world, and you can get a couple of allies from that side.” n
   24
September/October 2018 FCW.COM
  PERSPECTIVES
Participants
Seth Abrams
CTO, Department of Homeland Security Group, General Dynamics IT
Surendra Babu
Information System Security Manager, Department of Education
Maj.Tom Bereknyei
Lead Engineer, Defense Digital Service
Veronica Branch
Branch Chief, Department of State
Brian Gattoni
CTO, Office of Cybersecurity and Communications, Department of Homeland Security
Larry Hale
Director, Strategic Solutions and Security Services, General Services Administration
LCDR James Jones IV
Deputy Director of Cyber Security, National Oceanic and Atmospheric Administration
Wanda Jones-Heath
Chief Information Security Officer (SAF/CIO A6Z), U.S. Air Force
Matt McFadden
Cybersecurity Service Area Director, General Dynamics IT
Michael Powers
IT Security Manager, NASA
James Quinn
Senior Advisor for Cyber, Department of Homeland Security
Clinton Swart
Information System Security Officer, Smithsonian Institution
Note: FCW Editor-in-ChiefTroy
K. Schneider led the roundtable discussion.The Aug. 9 gathering
was underwritten by General Dynamics IT, but both the substance of the discussion and the recap on these pages are strictly editorial products. Neither GDIT nor any of the roundtable participants had input beyond their Aug. 9 comments.