Fortalice Solutions President and CEO and Dark Cubed Co-Founder Theresa Payton sheds light on the gender gap in cybersecurity and discusses ways to engage more women in cyber careers. Fortalice Solutions Chief Information Security Officer Ken Bailey will be speaking on the The Life of a Hack: A Business Survival Guide panel at the second annual Capital Cybersecurity Summit on Nov. 14-15, 2017 in Tysons Corner.


Fortalice logo blueWhat image flashes in your mind when you hear the word “cybersecurity?” Is it a room filled with happy, diverse, productive people making a difference in the world around them? Sadly no. More than likely, it’s a guy hunched over his computer wearing a dark hoodie with some ones and zeros floating above his head. Or maybe it’s a cold room in a basement filled with rows and rows of computer servers. If you’re a woman looking at the next 30-40 years of your life, would you pick a career that looks so ominous? Probably not.

Optics is one of the biggest hurdles we face as cybersecurity professionals and the hurdle is even greater for women in security. Generally speaking, women are more drawn to careers where they can use their intellectual, emotional and interpersonal skills and cybersecurity does a terrible job promoting itself in those areas. What if I told you that cyber can be an extremely emotionally charged field? Yes, it’s logical and yes, it’s technical – but the beauty is that we use those skills in conjunction with softer skills to truly help people.

In my daily life as CEO of Fortalice Solutions, I work directly with the government, corporations and people to protect what’s most important to them, including intellectual property, financial assets and healthcare information. And perhaps the most rewarding of all, I work frequently with law enforcement to use innovative technology to combat human trafficking and childhood sexual exploitation. We need to demystify cybersecurity and talk plainly about how our field helps people, in real tangible ways.

For example, I’ve often said that security is inherently flawed because it is not designed for the human psyche. Today security is not only an afterthought, security designs have zero empathy for the human. Do you know any non-technical professionals that profess a deep fondness for strong passwords? You don’t. Passwords are designed for the technology and we ask the human to conform. According to cybersecurity best practices, people will share and forget passwords and they will do unsafe things to get their jobs done, such as use free, unsecure Wi-Fi. Haven’t you? Women’s natural intuition and emotional intelligence to see themselves in someone else’s shoes is exactly what we need to combat this problem!

In order to be more inclusive of women in cybersecurity, at least three things need to happen.

First, hiring managers need to expand their criteria and qualifications. Many hiring managers are leaving women and minority candidates on the sidelines by chasing the same resumes, the same degrees and the same alphabet soup of certifications in future employees. While this might be one indicator of a successful hire it is not the only indicator. The best cybersecurity professionals are insatiable learners and highly skilled problem solvers who think about the user while never underestimating the adversary. Take a chance on a different degree and background and invest in cross training. Some of my best cybersecurity team members started out in a different field and are now some of the best, most well rounded cybersecurity professionals we have on the front lines of fighting cybercrime.

Second, an April 2013 survey of Women in Technology, found that 45% of respondents noted a “lack of female role models or [the encouragement to pursue a degree in a technology-related field].” It’s been proven that professional mentorship and development dramatically increase participation in any given field, so the lack of women in cybersecurity is really a compounding problem – we don’t have enough women in cyber because there aren’t enough women role models in cyber. While connecting with other women has had its challenges, there are wonderful women in cyber today… look at KT McFarland, Deputy National Security Advisor and Ambassador to Singapore, and Keren Elazari, a global speaker on cybersecurity and ethical hacker out of Israel. They are rock stars.

I’ve been very lucky to work with wonderful, inspiring women in cyber, but I recognize that my exposure might be more than women starting their career. This brings me to my third point: I recommend all cyber practitioners, and especially women, take advantage of all the amazing free tools out there from RSA, TED talks, and even YouTube. You can watch speeches from veteran cybersecurity professionals about their careers, hear their advice on how to succeed, and learn new skills to keep you competitive in the workplace. Consider free online courses in cybersecurity or popular programming languages like Python. Ask your colleagues to show you their favorite geek gadget or ethical hack. There are some excellent security frameworks and guidance available for free online such as the NIST framework, CIS Critical Security Controls, SSÅE 16, and discussions on GDPR. Leverage social media to hear what’s on the minds of security experts. In this field, be a constant student of your profession.

It’s true there is a shortage of women in cybersecurity but there is not a lack of talented and strong women in this world. Cybersecurity requires a general shakeup and perhaps women are the ones to do it. I’m grateful that I can talk about my industry and I hope more women join this exciting field… and they can even wear their favorite hoodie.

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • LinkedIn
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

Hear why modern day supply chain risk management is requiring new architectural paradigm shift in NVTC’s latest Capital Cybersecurity Summit guest blog by Strategic Cyber Ventures CEO Tom Kellermann. Kellermann will be moderating the What Keeps CISOs Up At Night? panel at the second annual Capital Cybersecurity Summit on Nov. 14-15.


SCV Logo2017 has been a reality check for corporations. The reality is that cyberspace has become a free-fire zone with a multiplicity of actors who are determined to wreak havoc. The dark-side of globalization resides in cyberspace. Corporations are regularly under siege from a multiplicity of threat actors. The cyber arms bazaar that flourishes around the world has allowed for criminals and nations to wage long-term campaigns against corporations and government agencies. These cybercriminals stalk businesses and consumers from the fog of the Dark Web. Evidence suggests that the Dark Web has become an economy of scale wherein the cyber-crime syndicates have begun to target the interdependencies of our networks. 2017 has ushered in a foreboding era of digital colonization of American cyberspace.

As the cybercriminal community burrows into our networks we must appreciate that after the initial theft of data they tend to hibernate. This hibernation allows for secondary schemes of monetization. Some of these criminal endeavors include reverse business email compromise against your customers and/or selective Wateringhole attacks. Cybercriminals realize that there is implicit trust in your brand; trust that can and will be exploited. The modus operandi of cybercriminals has been modernized and thus we should allow their offense to inform our defense.

SCV Image 2In 2017, CSOs must enhance the scope and diligence of their supply chain security assessment. First, security strategies must encompass more than technology vendors. Law firms and marketing firms should be included in all annual security assessments. Second, any merger or acquisition must include a compromise assessment. Such a compromise assessment should include a penetration test from within your network to the outside world. Finally, service level agreements (SLAs) must be modernized to mitigate the cyber threats of 2017, therefore the rigor of the security controls required must encompass elements of intrusion suppression like the proactive use of deception grids and adaptive authentication.

Managing cyber exposures to your supply chain is a function of conducting business in 2017. Beyond mere compliance with existing standards corporations must protect their brand before it is hijacked. Supply chain risk management requires an architectural paradigm shift to intrusion suppression. Modernizing defense in depth will allow an organization to thwart the burgeoning digital invasion of their network. It is imperative that we reevaluate vendor relationships and institute increased safeguards and oversight as information supply chain risk is here to stay. Cybersecurity investment begets brand protection which in turn mitigates third-party risk. Those companies who embrace brand protection as a function of comparative advantage will be better prepared to combat the inevitable attacks that will occur, and will become the titans of industry.

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • LinkedIn
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

Your company has just encountered a data breach? Now what? In NVTC’s guest blog, Veronica Jackson, associate at Miles & Stockbridge, provides immediate steps a company should take upon discovery of a data breach. Jackson will be participating on the Life of a Hack: A Business Survival Guide panel at the Capital Cybersecurity Summit on Nov. 14-15, 2017.


MS Logo (.JPG)In the wake of the latest massive data breach, this one involving Equifax, more and more companies are likely wondering what they should do in the event that they are faced with a data breach that exposes the personal data of their employees or customers. Data security incidents involve complex legal issues that must be navigated carefully to reduce the risk of improper (or unnecessary) breach notification, attention from state and federal regulators, and potential class actions related to the exposure of personal information. There are several key steps a company should take upon discovery of a data breach. While these steps are numbered, many of them must happen both immediately and simultaneously.

First, immediately contact your company’s incident response team pursuant to your Written Information Security Plan (or “WISP”). Second, contact law enforcement and any relevant insurance carriers to assist with coverage of costs for the data breach response effort and to prevent waiver of potential coverage for tardy notice. Third, quickly assess the scope of the breach (i.e., whether the breach is ongoing, whether data was acquired or simply accessed by the hacker, who suffered a breach of their personal information, and what type of information was exposed). Fourth, stop the breach, if possible, through remedial data security measures, possibly with the assistance of a forensic IT consultant to bolster your company’s security systems.

Organizations that have already suffered from a breach especially must consider what additional safeguards (including employee training) should be implemented to avoid another breach in the future. Fifth, analyze data breach compliance requirements by identifying the jurisdictions of residence for the affected population and assessing what notification requirements are triggered by each applicable statute.

Data breach compliance requirements also may be triggered by the regulatory framework covering the type of information that was exposed (i.e., HI-TECH and HIPAA compliance for personal health information). For affected persons residing in Maryland, for example, notification is not required if, after an investigation, the entity determines that personal information has not been or is not likely to be misused (documentation of that conclusion, however, must be retained by the entity for three years). In instances where notification is required, even for just one Maryland resident, notice must first be sent to the Maryland Attorney General’s data breach notification department. In the District of Columbia, on the other hand, there is no “likely harm” exception to notification, and notice to the Attorney General is not required. In instances where 1,000 or more residents are receiving notice at a single time, both Maryland and the District of Columbia require that notice be sent to all nationwide consumer reporting agencies regarding the timing, distribution and content of the notices.

Finally, prepare a data breach response plan that attempts to mitigate potential harm to the affected population and complies with applicable data breach requirement statutes and regulations. Since the Supreme Court’s decision in Spokeo v. Robins attempted (but failed) to clarify the legal standard for what constitutes sufficient harm to a person affected in a data breach for legal standing purposes, a Circuit split has emerged. Because it remains unclear what level of risk for future harm or actual harm is required (short of actual identity theft), efforts to minimize the risk of identity theft and other subsequent harm, as well as providing free preventative services to affected people, are valuable tools that may provide a defense against subsequent litigation stemming from the data breach. Many organizations elect to provide an affected population with identity theft prevention services that monitor their credit and also aid them in any credit repair efforts they may need should they fall victim to identity theft.  Many state attorneys general also look at whether an organization is providing such services to its residents when reviewing data breach response notifications.

This blog was written by Veronica Jackson at Miles & Stockbridge.

 

Opinions and conclusions in this post are solely those of the author unless otherwise indicated. The information contained in this blog is general in nature and is not offered and cannot be considered as legal advice for any particular situation. The author has provided the links referenced above for information purposes only and by doing so, does not adopt or incorporate the contents. Any federal tax advice provided in this communication is not intended or written by the author to be used, and cannot be used by the recipient, for the purpose of avoiding penalties which may be imposed on the recipient by the IRS. Please contact the author if you would like to receive written advice in a format which complies with IRS rules and may be relied upon to avoid penalties.

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • LinkedIn
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

On Sept. 27, the NVTC Tech Innovations Committee and the Embassy of Canada hosted an exciting evening which featured an engaging panel discussion on the latest tech platforms and what their future may look like. Attendees also enjoyed top networking in a beautiful setting at the Embassy after the panel.

Panelists included:

  • Carol Brock, Global Public Sector Strategist, OpenText
  • Juliane Gallina, Partner and Director, U.S. Federal Solutions, IBM Federal
  • Ashish Jaiman, Director, Civic Tech and Services, and AI Evangelist, Microsoft

GeoPay CEO and Tech Innovations Committee Chair Darren Feeley moderated the panel.

Check out photos below from this special evening!

Image 6 Image 3 Image 2Image 5Image 1Image 7

Thank you to the following event sponsors!:

Location & Supporting Sponsor: Embassy of Canada
Networking Sponsor: Drinker Biddle & Reath LLP
Hospitality Sponsor: Verizon
Supporting Sponsors: Blackstone Counsel; Fairfax County EDA

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • LinkedIn
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

VEI Logo SizedIs your organization an NVTC member company dedicated to hiring and developing Veterans?  If so, you’ll want to read on!

The NVTC Foundation and the NVTC Veterans Employment Initiative (VEI) are seeking nominations for its second annual VEI Veteran Service Award, which honors an NVTC member company that has demonstrated a superlative level of engagement with the VEI and support of the Veteran and military community.

The award will recognize an NVTC company that goes the extra mile to hire transitioning military members, Veterans and their spouses into their corporate workforce. The most qualified nominations will come from companies that have not only hired Veterans, but also actively participate in the programs and services of the VEI and other Veteran-focused philanthropic and volunteer endeavours.

Submit a nomination for the VEI Veteran Service Award by November 3! The VEI Veteran Service Award will be presented at NVTC’s annual TechCelebration Banquet on December 11 at The Ritz-Carlton, Tysons Corner.

For questions regarding the award, please contact VEI Director Steve Jordon at 703-268-5145 or by email.

Congratulations to the MITRE Corporation, winner of the inaugural 2016 VEI Veteran Service Award!

MITRE

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • LinkedIn
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

NVTC Kicks Off Fall with Member Networking Event

September 14th, 2017 | Posted by Alexa Magdalenski in Membership - (Comments Off)

Over 100 NVTC members came together for a fun evening of networking on Sept. 13 at NVTC’s Member Networking Event. The highly-attended event at the Sheraton Tysons was an exciting kickoff to NVTC’s events season. Attendees enjoyed live music and delicious appetizers while connecting with fellow members and making new connections.

Members can visit www.nvtc.org/events for the latest NVTC networking opportunities.

DSC_0519 DSC_1711 DSC_1707 DSC_1702 v2

Click here for a full photo gallery from the event!

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • LinkedIn
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

The world’s total digital data volume is doubling in size every two years, prompting organizations to find new ways to secure their complex data. In their new NVTC member blog, LMI provides tactics for determining cybersecurity threats in your organization’s digital supply chain and securing critical data.


LMILogoThe world’s total digital data volume is doubling in size every two years, and by 2020 will contain nearly as many digital bits as there are stars in the universe. Most of this data is created and communicated over the Internet, whose “population grew by more than 750 percent in the past 15 years to over 3 billion. This population shares more than 2.5 million pieces of content on Facebook, tweets more than 300,000 times, and sends more than 204 million text messages—every minute.”

With the advent of the Internet of Things and other innovative technology platforms, organizations must continuously analyze and secure their complex data. For supply chain operations, digitalization has enabled leaders to access data faster and build stronger connections within a given supply chain. While there are clear benefits of the digital supply chain, there are challenges that need to be overcome in order to realize its full potential.

According to Ernst & Young, complex data presents numerous challenges to supply chains:

  • The volume of data is skyrocketing as diverse data sources, processes and systems show unprecedented growth. Companies are trying to capture and store everything, without first establishing the data’s business utility.
  • The fact is, technology is enabling this proliferating data complexity—continuing to ignore the need for an enterprise data strategy and information management approach will not only increase “time to insight,” but it may actually lead to incorrect insights.

LMI IMagePerhaps, none of these challenges is as critical as an organization’s ability to successfully secure its supply chain data given the IT security risks posed by the Internet. In fact, 30 percent of supply chain professionals are “very concerned” about a data breach.” The concerns of these professionals are well-founded. The number of cybersecurity breaches is growing by 64 percent every year with 60 percent of cyber breaches linked to insiders—current and former employees, contractors, service providers, suppliers and business partners.

Unfortunately, many organizations are unaware of the security vulnerabilities within their supply chain or how to determine those vulnerabilities. To help organizations determine their vulnerabilities, start by answering the following three questions:
1. How will the product be used and managed in the system? While any system breach is bad, the compromise of a system managing classified data is a much worse than a system that is managing publically available data. Understanding the use of the Information and Communication Technology (ICT) equipment will help determine the resources appropriate to secure the system. In reviewing the product use, consider what other systems are connected to the focus system. A less secure system can serve as a pathway to attack a more highly secured connected system. This was the method used to steal credit card numbers from Target in 2013.

2. How is the system connected to the rest of the world? A system that is connected to the public Internet will need more reliable security, since it would be easy to find and attack. On the other hand, a system that is isolated from any other network would have a much lower risk of attack or data breach, since the attacker would need to be in physical proximity of the system.

3. Who are the system users? Are the users internal employees who are trained on security procedures or is the system accessed by a public user base which may not consider risky security behaviors? Simple security procedures, such as keeping passwords secret and maintaining current anti-virus software, cannot be counted on if you do not directly control users’ environments.

By answering these questions, organizations could quickly and effectively determine the security vulnerabilities within their digital supply chain. Organizations can also contact our cybersecurity experts who can help you monitor, prioritize, and effectively manage your risks to create an optimal level of security based on mission priorities and resource constraints.

 

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • LinkedIn
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

Virginia: A Global Technology Center

August 17th, 2017 | Posted by Alexa Magdalenski in Research - (Comments Off)

NVTC recently published the third infographic in its research series. The latest infographic highlights Virginia’s position as a global technology center and a top state for business. Continue reading for some of the key findings in the infographic.

VA Tech Rankings Infographic 0717

Click infographic to enlarge

Virginia’s tech job opportunities are unmatched

  • Virginia ranks #1 in total employed and geographic concentration of cybersecurity workers.

Virginia’s cybersecurity workforce location quotient – a Bureau of Labor Statistics data-driven ratio highlighting a geographic area’s distribution within a given industry – is first in the nation at 4.47, far exceeding the 1.0 that is our national average. Or to put it another way, there are more cybersecurity workers per employed capita than anywhere else in the country.

  • Virginia ranks #1 in cybersecurity job openings.

Virginia ranked first again in the number of cybersecurity openings posted. Cyberseek heatmap openings totaled 35,837 for the period running April 2016 through March 2017.

  • Virginia has the second largest percentage of private tech sector employees.

In the 2016 CompTIA Cyberstates report, Virginia ranked second in terms of percentage of private sector workers employed by tech firms at 9.5 percent. The report also noted:

  • Virginia had the fourth highest number of all technology job postings;
  • Virginia had the fifth highest tech payroll compared to the national average wage differential at $31 billion; and
  • Virginia ranked sixth in the total number of tech workers (284,681), average wage ($109,038), total number of tech establishments (19,568) and tech as a percentage of state product (8.8 percent).

Startup growth is strong in Virginia

  • The Kauffman Index of Growth Entrepreneurship ranks Virginia #1 for startup growth.

The Kauffman Index of Growth Entrepreneurship uses three components of small business activity to provide an early indicator of small business growth, including the rate of businesses owners in the economy, the five-year survival rate of businesses and the established small business density.

Virginia is pro-business

  • Virginia ranks #4 in the 2015 top 10 pro business rankings

The Pollina Corporate Top 10 Pro-Business States report details how well each state has positioned itself to retain and create jobs. Virginia is the only state that has been in the top five every year since the inception of the rankings.

Want to learn more about NVTC’s latest research initiatives? Email Research and Strategic Initiatives Manager John Shaw.

View NVTC’s cybersecurity and data analytics infographics.

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • LinkedIn
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

What do cloud and AI mean for human resources? Will automation replace human resource functions and associates? Read on to find out in Insperity’s newest NVTC guest blog.


insperity v2Cloud-based tech solutions for human resources offer the promise of easy installation and implementation, but does such software really eliminate the need for HR staff?

The short answer is no.

While new technical offerings can improve the efficiency and speed of many HR processes, the human touch is still needed to get the most out of the software.

For example, you’ll still need someone to “operate the machinery,” so to speak, or administer the software. In a smaller company, that may be one combination payroll and HR person. In a larger company, you may need one employee to do nothing but maintain, update and run the software so that your company gets the most from its capabilities.

When HR software works best

Technology is your friend when it comes to the tactical aspects of human resources. For instance, an online time tracking system that ties to your payroll and government reporting systems can save significant time and improve accuracy over manual tracking and handwritten reports.

Cloud-based HR software can automate formerly complex, time-consuming activities including:

  • New hire paperwork, such as the I-9 authentication and reporting of right to work in the United States
  • Storing of data for compliance
  • Tracking of critical HR data related to hours worked by project or department, turnover and more
  • Garnishments, reporting and mandatory requirements that vary by state

For example, a company operating in a big state like Texas may not be accustomed to the HR complexities of hiring across state lines. But open an office in New York, and you could have employees who work in that state but live in Connecticut or New Jersey.

HR software can help ensure your compliance with multiple states’ payroll tax requirements, and prevent you from having to learn and implement such widely disparate laws on the fly. The best-case scenario is when you have the right software in place to facilitate efficiency and compliance, with access to experienced HR professionals to guide you.

What to look for in HR software

Once you’ve decided whether an HR software package delivers the basic functions your business needs and will help drive company goals, it’s time to take a deeper dive into its functionality.

Some questions to consider:

  • What purpose will this software serve? Will it eliminate, add to or integrate with your existing systems?
  • Who will administer the software? Will they require extra training? If yes, how much? How much training is included in the price?
  • Is this software backed by HR on demand? For example, even with the best software, you’ll still have the occasional compliance question. Look for a software solution with human support.
  • Will this software integrate with other existing software for payroll, time and attendance, or enterprise resource planning (ERP)?

As you talk to software vendors, it’s vital you involve frontline workers who operate existing systems to help you evaluate any new HR software and its integration requirements. Depending on your current set-up, this may mean you bring in the payroll administrator, ERP data manager, compliance officer or the HR specialist managing the current performance system.

These are the people who can help you avoid the costly mistake of buying software that ultimately will not “play nice” with your other systems, since they know the intricate details of how your existing systems really work.

Why leadership is still needed

While cloud-based software may streamline many HR processes, there’s no substitute for sound leadership. Think “strategic” versus “tactical.”

Yes, software can help a company align its objectives and drive engagement through performance management, employee feedback mechanisms, people analytics, training, and compensation and rewards systems. But no software will ever replace a leader who communicates, inspires and motivates employees to achieve the organization’s goals.

As a business grows, it becomes harder to keep employees aligned with the company’s goals and strategies. Software can help keep your ship on the right course, but at the end of the day, any technology solution is only as good as the people behind it.

Learn more about Insperity here.

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • LinkedIn
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

On August 9, Governor Terry McAuliffe announced that over 26,000 Veterans have been hired through the Virginia Values Veterans (V3) Program since its inception in 2014.

VEI Logo SizedThe NVTC Veterans Employment Initiative (VEI) is proud to announce that NVTC member companies are responsible for over 6,000 of these Veteran hires!

The Virginia Values Veterans (V3) Program is a Commonwealth of Virginia, Department of Veterans Services Program. V3 helps employers understand, design and implement nationally recognized best practices in recruiting, hiring and retaining Veterans. Nearly early 600 companies and state and local governments are V3-certified promising to prioritize bringing Veteran talent into their organizations.

The VEI is a strategic partner with V3. V3 Northern Virginia Program Manager Rick Ferry sits on the VEI Task Force and VEI Director Steve Jordon sits on the V3 Veterans Workforce Steering Committee.

Micron Event 080317 v2Currently 35 NVTC member companies are V3-certified and that number continues to grow. Micron is the latest NVTC member to be certified just last week (photo, left).

In 2015 and 2016, NVTC was honored by the Virginia Department of Veterans Services with the V3 Commonwealth Award. The Commonwealth Awards are presented to strategic partners and supporters of the Virginia Values Veterans V3 Program who have made significant contributions to the operation, strategy, and mission of the V3 Program and who have used their expertise to help make Virginia the most Veteran-friendly state in nation to work.

Interested in becoming V3-certified? Contact Steve Jordon or Rick Ferry to learn more.

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • LinkedIn
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS