1021Capital Cybersecurity Summit Logo 3Throughout the coming weeks on the NVTC blog we’ll be sharing content from our inaugural Capital Cybersecurity Summit that took place on Nov. 2-3, 2016 at The Ritz-Carlton, Tysons Corner.

One of the Summit’s highlights was the Investment Capital for Cybersecurity Panel, which focused on how to raise sufficient capital to fund promising cyber technologies and applications. The discussion featured Crosslink Capital Venture Partner Matt Bigge, Bessemer Venture Partners Vice President Sunil James, Blackstone CISO Jay Leek and Paladin Founder and Managing Partner Michael Steed. Raymond James Managing Director and Co-Head of Technology & Services Stefan Jansen moderated.

Jansen’s opening question for the investor panelists, “What does it take for cybersecurity startups to matter?” brought to light two themes that emerged throughout the panel: (1) to attract and maintain investors, promising cyber businesses must be inherently committed to innovation; (2) the human capital side of cyber startups and the teams that drive them are as important as the technologies themselves for investors.

Steed shared that he looks to invest in cyber companies that are disruptive in the cyber space and filling a void that solves a distinct cyber problem. James noted that his organization looks for a vitality in startups – energy for innovation that inspires engagement in all ranks of the organization and is infectious.

Bigge noted that his most successful cybersecurity investments have been made in organizations with strong founding teams that are passionate about solving their customers’ problems. Leek agreed, stating that investing in a company’s management team is just as important as the technology itself. Leek encouraged promising cyber businesses to take a deeper look into the efficiency of their operations, a critical factor for investors.

Some of the other noteworthy investment factors panelists shared included:

  • The importance of a quality and diversified revenue base for cyber startups
  • Rising cyber businesses must be able to provide ROI for their products and services after their first year
  • Cyber startups should have the ability to pinpoint opportunities for expansion within their existing customer base

View the full video from the Investment Capital for Cybersecurity Panel below and stay tuned for more Capital Cybersecurity Summit content here on the NVTC blog!

Investment Capital for Cybersecurity Panel Video: 

Check out the Capital Cybersecurity Summit photo gallery!

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • LinkedIn
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

1021Capital Cybersecurity Summit Logo 3Leading up to our Capital Cybersecurity Summit NEXT WEEK on November 2-3, 2016, we’re sharing a weekly roundup of some of the top cybersecurity stories. Here are the last week’s top headlines. Tweet us interesting cyber articles at @NOVATechCouncil.

National Cyber Response Plan + Cybersecurity Strategies:
DHS Races to Get Obama’s Signature on Cyber Response Plan   NextGov

Good Cybersecurity Doesn’t Try to Prevent Every Attack   Harvard Business Review

Why the Auto Industry Is Tapping a Boeing Executive to Lead Its Cybersecurity Group   Fortune

DDoS Attack:
Hobbyist hackers probably caused Friday’s Internet meltdown, researchers say   Washington Post

Cybersecurity Meets Privacy Concerns:
Is Facebook’s Facial-Scanning Technology Invading Your Privacy Rights?   Bloomberg Technology

AI + Cybersecurity:
As Artificial Intelligence Evolves, So Does Its Criminal Potential   The New York Times

Want to learn more about NVTC’s 2016 Capital Cybersecurity Summit and register? Click here or watch the video below. #CapitalCyber

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • LinkedIn
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

Doug Logan, chief technologist at US Cyber Challenge and CEO of Cyber Ninjas, is the author of our latest cybersecurity guest blog post on new approaches to cybersecurity hiring and retaining top cybersecurity talent. US Cyber Challenge’s National Director, Karen Evans, will be speaking on the Force Multipliers to Future Cybersecurity panel at the 2016 Capital Cybersecurity Summit on Nov. 2-3, 2016.


us cyber challenge logoWith over 209,000 vacant cybersecurity jobs in the U.S and job postings up 74% over the last 5 years; it is an understatement to say that cybersecurity is a growth field. Yet with my work with the US Cyber Challenge, I am routinely told by some of America’s best and brightest that they’re having difficulty finding a job. Once a person reaches the six month mark in a cybersecurity role, recruiters will call like crazy. Getting that initial experience is another story. If we’re going to secure our companies and our country, this is a problem we need to solve.

Traditional hiring practices suggest that we find people who have performed the job function in the past. By this measure, studies have shown that fewer than 25% of cybersecurity applicants are qualified to perform the job functions. I’ve actually had even less optimistic results with less than 10% of candidates qualified. In many cases this is despite certifications, or even similar past job experience. The resource pool is simply not large enough to readily find skilled candidates; and those who are skilled are extremely expensive. I’d like to suggest a different approach: hire the inexperienced and train them.

Time and time again I’ve been surprised at how quickly smart, passionate, but inexperienced individuals out-perform more experienced but “normal” candidates. On average I find that the right candidates learn about twice as fast as your typical candidate. This means that at six months in, my passionate candidate is functioning at the one year experience level; and that one year in, they already function at the equivalent of two years of experience. At this pace it does not take long before they surpass those with more experience; and best of all, home-grown talent is more loyal and won’t typically jump ship. But how do you find this talent?

The best way I’ve found to find smart, passionate, individuals who are interested in cybersecurity is taking a look at those candidates who find the time to learn cybersecurity topics even though they are not required to. This is often showcased in resumes that are littered with self-study topics related to the field, or with participating in one of the many cybersecurity competitions available. This list includes Cyber Aces, Cyber Patriot, the US Cyber Challenge and the National Collegiate Cyber Defense Competition. If you want to check out a site that specializes in showcasing this type of talent, this is why the site CyberCompEx was created.

Unlike the inflated prices of experienced cybersecurity professionals, truly entry-level candidates can typically be picked up at a fraction of the cost. However, with this discount in salary you should be planning on spending a good $5,000-$10,000 the first year on investing in their training. In addition, you should be sure to review their performance at the six month mark and bump their pay appropriately at that time. While home-grown talent is less likely to jump ship, you always need to be in the ball park of their current worth.

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • LinkedIn
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

Jack Huffard, president, COO and co-founder of Tenable Network Security, discusses the latest legislation on legacy IT in the federal government in his NVTC guest blog post. Huffard will be participating on the Collaborating for Cyber Success Panel at NVTC’s Capital Cybersecurity Summit on November 2-3, 2016.


jack-huffard-2015-2-webIn government IT, the old adage “if it works, don’t fix it” no longer applies. While legacy systems may still technically be working, they can harbor risky vulnerabilities without vendor support, regular security updates or patch management. This point hit home for many in May when a report from the Government Accountability Office revealed that the country’s nuclear arsenal was still controlled by a system with an 8-inch floppy disk.

More recently, the House Oversight and Reform Committee released its report analyzing the OPM Data Breach that exfiltrated personally identifiable information (PII) of over 4 million government employees and over 21 million more cleared individuals. One of the report’s key recommendations was to modernize existing legacy federal information technology assets to help prevent another such egregious attack.

The Modernizing Government Technology Act of 2016

Earlier this year, to address this urgent situation, two bills were introduced in Congress to help modernize government IT systems – the MOVE IT Act and the IT Modernization Fund. Both bills have since been combined into the Modernizing Government Technology Act of 2016 (the MGT Act). This Act would create individual funds for government agencies and a broader centralized fund to which agencies could apply for financing modernization efforts. The bill states that the funds could be used “for technology related activities, to improve information technology, to enhance cybersecurity across the Federal Government.”

Details of the MGT Act

More specifically, MGT stipulates several areas in which modernization funds can be used, including:

  • Replacing existing systems that are outdated and inefficient
  • Transitioning to cloud computing (using the private sector as a model)
  • Enhancing information security technologies

The Act states that the government currently spends almost 75% of its IT budget (which now totals over $80 billion) on operating and maintaining legacy systems, leaving little left over for modernization efforts. Not only are these systems subject to failure, but as they get older and older, they present greater and greater security risks as well. So it is good to see that the Act encourages not only the simple replacement of agencies’ IT systems, but the addition of cybersecurity technology. Regardless of which new technology is chosen – on-premises, virtual, or cloud-based – there is also a pressing need for better information security solutions for government infrastructures, as evidenced by recent agency breaches.

MGT is unique and different than previous proposals because it does not appropriate funds. Rather, it enables agencies to transfer monies – that they have saved by retiring legacy systems and moving to newer technologies – into individual IT working capital funds. They could then reinvest those funds over the next three years for other modernization initiatives, avoiding the “use it or lose it” cycle.

The Act also calls for a general government-wide IT Modernization Fund. This centralized fund would be overseen by the General Services Administration (GSA) and an IT Modernization Board in accordance with guidance from the Office of Management and Budget. Agencies would apply, and present business cases for access to the funds to modernize their legacy IT infrastructures. The centralized fund would then be replenished with savings from those modernization initiatives.

The 8-member IT Modernization Board would include the Administrator of the Office of Electronic Government, a GSA official, a NIST employee, a DoD employee, a DHS employee, and three tech-savvy federal employees.

Moving forward in the 21st century

The MGT Act was introduced by Rep. Will Hurd (R-Tx.) who is one of the few members of Congress with a computer science degree. It was co-sponsored by Rep. Gerry Connolly (D-Va.) in a welcome display of bipartisan collaboration. The House passed the bill at the end of September 2016. It is now up to the Senate to act on the bill. Prospects for passage are encouraging, and this bill would be a good step towards updating legacy IT systems, strengthening cybersecurity and embracing 21st century technologies.

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • LinkedIn
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

1021Capital Cybersecurity Summit Logo 3Leading up to our Capital Cybersecurity Summit on November 2-3, 2016, we’ll be sharing a weekly roundup of some of the top cybersecurity stories. Here are the last week’s top headlines. Tweet us interesting cyber articles at @NOVATechCouncil.

IoT:

As cyberthreats multiply, hackers now target medical devices  CNBC

Leaky IoT devices help hackers attack e-commerce sites   CIO

Election:

Connolly: cybersecurity at stake in election  FCW

Government:

U.S. CISO wants to lean on freelance hackers to improve .gov security  FedScoop

CIA Prepping for Possible Cyber Strike Against Russia  NBC

General:

Internet of Things Malware Has Apparently Reached Almost All Countries on Earth   Motherboard

 

Want to learn more about NVTC’s 2016 Capital Cybersecurity Summit? Click here or watch the video below.

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • LinkedIn
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

We’re thrilled to share our latest cybersecurity guest blog post written by Rick Howard, chief security officer at Palo Alto Networks. Howard will be sharing his expertise at the Capital Cybersecurity Summit on November 2-3, 2016 on the CISO Sidebar panel.


Rick Howard HeadshotIn today’s cybersecurity landscape, where attacks are increasing in number and sophistication, the network defense model developed over the past 20 years has become overwhelmed. Commonly referred to in cybersecurity circles as the “Cyber Kill Chain,” the model uses what was originally a military concept to help network defenders find a cyber attack and fix any damage it caused and then track, target and engage with the cyber attacker.

Over time, cyber adversaries’ capabilities grew. Soon, they were routinely finding ways to circumvent the Cyber Kill Chain model. This happened for several reasons:

  • Too many tools for defenders to manage. As network defenders struggled to keep up with evolving cyber attackers, more security tools were implemented on the network, and the man-hours spent ensuring those tools were operating correctly and analyzing the data they provided quickly became a burden with which most network defense teams couldn’t keep up.
  • Too much complexity for security. As new security tools were added, the complexity of the network grew. The more complex the network, the easier it is for network defenders to make a mistake that can expose the network to cyber attacks.
  • Too much wasted time. As vendors launched new security tools, customers entered into a kind of arms race in which they were constantly evaluating new “best of breed” security products against each other to determine which was the most effective. These evaluations could take months, with more time and money wasted after a decision was made in order to remove legacy security tools and replace them with new ones, and then train teams on how to use them effectively. It was a process that became more complex – and expensive – every year as cyber threats evolved and new tools were developed to address them.
  • Too inefficient at crossing the last mile. Cyber attackers often leave clues when they penetrate a network’s defenses, which are called “indicators of compromise.” Once an indicator is found, network security vendors develop prevention and detection controls that address the indicator and deploy them to customers—a process the industry has referred as “crossing the last mile.” But when an indicator affects multiple products from different vendors, or a new indicator of compromise is discovered, keeping track of the status of each tool and whether or not that tool has the most updated controls installed becomes a logistical nightmare.

Much of the complexity that currently overwhelms the Cyber Kill Chain model can be solved with an integrated security platform. “Platform” is a buzzword many vendors use, but I define it as a way to combine tools that network defenders have previously implemented as point solutions from different vendors into a platform built and maintained by one vendor. The “secret sauce” is that integration – when the platform components work together – makes each component more effective as a result of its integration with the others and it makes the network easier to defend by reducing the number of tools to be managed.

More advanced security platforms have the additional ability to automate the deployment of prevention and detection controls, making the process to cross the last mile much less labor-intensive. By replacing an ad hoc collection of independent, patched-together tools with a well-integrated, automated security platform, the problems described above become much simpler to resolve or disappear altogether. Partnering with one vendor gives network defenders leverage in terms of contract negotiations. They can use longer term contracts to get significant discounts from the vendor and, because of that, they can insist on creative fulfillment models that are advantageous to themselves in defending their networks.

The challenge for automated security platform adoption is primarily cultural. Network defenders are familiar with the best-of-breed security tool model, and many see the constant evaluation of new tools as a sort of “survival of the fittest” contest that ensures they’ll find the best tool for their network. It will take a lot of education and mind-changing, a process that may require support from an organization’s board of directors or C-suite, to ensure it happens. But it’s a change that needs to happen in order to protect our way of life in this digital way more effectively and efficiently in the future.


Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • LinkedIn
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

1021Capital Cybersecurity Summit Logo 3Leading up to our Capital Cybersecurity Summit on November 2-3, 2016, we’ll be sharing a weekly roundup of some of the top cybersecurity stories. Here are the last week’s top cyber headlines. Tweet us interesting cyber articles at @NOVATechCouncil.

NSA Contractor arrested; charged with stealing top secret info  Cyber Scoop

How did the Feds Get past Yahoo’s encryption? Yahoo!  Wired

Which country has the most malware-infected devices?  CNBC

Johnson & Johnson warns of insulin pump hack risk  USA Today

Hackers used the IoT to create an unprecedented DDoS attack—Now what?  IOT Journal

Federal cybersecurity workforce should be more than just IT degrees  Federal News Radio

Want to learn more about NVTC’s 2016 Capital Cybersecurity Summit? Click here or watch the video below.

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • LinkedIn
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

This week’s blog is written by Connie Pilot, executive vice president and chief information officer at Inova Health System. Pilot will be sharing her expertise on the “The Coming Storm from IoT” panel at the Capital Cybersecurity Summit on November 2-3, 2016


Pilot_Connie UpdatedWith billions of data-generating devices connected to the Web, the Internet of Things (IoT) is changing the way we do business. No industry is immune, including healthcare. The Food and Drug Administration estimates that 500 million people around the world use some sort of mobile health app on their smartphones and millions more have embraced wearable health technology. Inside the hospital, Internet-connected medical devices such as MRI machines, CT scanners and dialysis pumps provide critical patient monitoring and support and as wireless technology proliferates in healthcare, so too does risk. The Web is fertile ground for stolen medical records, which are now more valuable to hackers than credit cards. Providers must find new ways to secure private data in an ultra-connected world.

The IoT offers important benefits for healthcare delivery and efficiency. It provides new avenues for patient communication, improves patient engagement and compliance, and enhances value-based care and service. At Inova, we use it in many ways: to monitor fragile newborns in the neonatal intensive care unit, control temperature and humidity in the operating room, deliver pain medication post-operatively and measure heart rhythm in cardiac patients, to name just a few. Medical data tracking enables us to intervene when necessary to provide preventive care, promptly diagnose acute disorders or deliver life-saving medical treatment. The benefits extend beyond our hospital walls into the community, where the IoT drives telehealth advancements that improve access for patients, such as virtual visits, eCheck-In, patient portals and electronic health records.

Balancing the benefits of greater connectivity with the need to protect critical data is a growing priority for healthcare providers. Opportunities exist for instilling interoperability and security standards that will seamlessly facilitate the sharing of necessary patient care information, while continuing to safeguard it from cyber-attacks.

Enabling connection and communication among different information technology systems and software applications can be daunting. While healthcare organizations can use proven security protocols in other domains, differences between IoT devices and traditional computing systems pose significant challenges. The IoT introduces innovative technology that requires emergent, often untested, software and hardware. Wearables, such as consumer fitness trackers and smartwatches, are a case in point. They present non-traditional access into the technology environment. While they use existing communication protocols that can be secured, there are challenges with multi-factor authentication and control of the devices in case of loss or theft.

Additionally, with millions of people using wearables, the volume of data generated can easily overwhelm an organization’s network, leaving it vulnerable to a potential denial of service attack. In this scenario, hackers attempt to prevent legitimate users from accessing information or services. Methods must be developed to limit data transmitted from wearables solely to those devices that should be transmitting and solely to information that is required for patient care.

Clearly, developing new methods of securing devices and the information they generate is a formidable task. We are fortunate to do business in an area that is well positioned to tackle this growing cybersecurity threat. With one of the most sophisticated technology workforces in the country, pioneering start-ups, world-class educational resources and a large government infrastructure, the National Capital region stands at the epicenter of innovation, policy and research. Our collective expertise can help us meet healthcare privacy and security challenges, and keep our patients and community safe.

 

Connie Pilot is executive vice president and chief information officer at Inova Health System. As the leader of Inova’s technology services division, she oversees all aspects of technology, including IT applications, change and quality management, information security, enterprise architecture, service delivery and informatics. 

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • LinkedIn
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

This week’s cybersecurity headlines spanned Yahoo’s massive data breach, growing election cyber threats and a major IoT hack. Leading up to our Capital Cybersecurity Summit on November 2-3, 2016, we’ll be sharing a weekly roundup of some of the top cybersecurity stories. Find an interesting cybersecurity article? Share it with us in the comments or Tweet us at @NOVATechCouncil

Want to learn more about NVTC’s 2016 Capital Cybersecurity Summit? Click here or watch our event video below.

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • LinkedIn
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

Recent data breaches – from the telecommunications and healthcare industries to the Office of Personnel Management (whose breach impacted over 4 million people) – have left no industry immune to cyber attacks. NVTC recently published a cybersecurity infographic on the rising impacts of cyber threats and the federal government and Great Washington region’s elevated response to these threats. One of the most astounding statistics highlighted in this infographic is the 2016 federal cybersecurity budget, which increased by $5 billion in the last year alone.

The National Capital region is at the intersection of innovation, policy and research and that is why NVTC is hosting the first ever 2016 Capital Cybersecurity Summit on November 2-3, 2016 at The Ritz-Carlton, Tysons Corner.

This region is THE capital of cybersecurity because it is home to:

  1. One of the most educated cybersecurity and tech workforces in the country (55% of tech openings in Virginia are in cyber!)
  2. A large number of Fortune 1000 companies
  3. An incredible number of startup tech firms and entrepreneurs
  4. U.S. Cyber Command
  5. The Department of Defense and intelligence agencies like NSA and CIA, addressing both defensive threats to our classified information and infrastructure as well as offensive cybersecurity capabilities employed against our adversaries
  6. Political and regulatory infrastructure that addresses policy issues surrounding cybersecurity
  7. Unparalleled research infrastructure through institutions like DARPA, IARPA, ODNI, ARL, AFRL (Did you know – The Internet came out of a government-focused research effort at DARPA?)
  8. World class local universities including George Mason University, George Washington University, University of Maryland, University of Virginia and Virginia Tech
  9. Leading Incubators and investors like MACH37, In-Q-Tel, Carlyle Group, Arlington Capital (46% of Greater Washington venture capital funding supported cyber solutions in 2015!)
  10. An underlying commitment to innovation among all members of our region: private companies, government organizations and universities

We’re just over ONE month to go until the Capital Cybersecurity Summit. Planning is well underway and each week we are announcing new panels and speakers. Click here for the latest agenda and to register.

 

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • LinkedIn
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS