Fortalice Solutions President and CEO and Dark Cubed Co-Founder Theresa Payton sheds light on the gender gap in cybersecurity and discusses ways to engage more women in cyber careers. Fortalice Solutions Chief Information Security Officer Ken Bailey will be speaking on the The Life of a Hack: A Business Survival Guide panel at the second annual Capital Cybersecurity Summit on Nov. 14-15, 2017 in Tysons Corner.


Fortalice logo blueWhat image flashes in your mind when you hear the word “cybersecurity?” Is it a room filled with happy, diverse, productive people making a difference in the world around them? Sadly no. More than likely, it’s a guy hunched over his computer wearing a dark hoodie with some ones and zeros floating above his head. Or maybe it’s a cold room in a basement filled with rows and rows of computer servers. If you’re a woman looking at the next 30-40 years of your life, would you pick a career that looks so ominous? Probably not.

Optics is one of the biggest hurdles we face as cybersecurity professionals and the hurdle is even greater for women in security. Generally speaking, women are more drawn to careers where they can use their intellectual, emotional and interpersonal skills and cybersecurity does a terrible job promoting itself in those areas. What if I told you that cyber can be an extremely emotionally charged field? Yes, it’s logical and yes, it’s technical – but the beauty is that we use those skills in conjunction with softer skills to truly help people.

In my daily life as CEO of Fortalice Solutions, I work directly with the government, corporations and people to protect what’s most important to them, including intellectual property, financial assets and healthcare information. And perhaps the most rewarding of all, I work frequently with law enforcement to use innovative technology to combat human trafficking and childhood sexual exploitation. We need to demystify cybersecurity and talk plainly about how our field helps people, in real tangible ways.

For example, I’ve often said that security is inherently flawed because it is not designed for the human psyche. Today security is not only an afterthought, security designs have zero empathy for the human. Do you know any non-technical professionals that profess a deep fondness for strong passwords? You don’t. Passwords are designed for the technology and we ask the human to conform. According to cybersecurity best practices, people will share and forget passwords and they will do unsafe things to get their jobs done, such as use free, unsecure Wi-Fi. Haven’t you? Women’s natural intuition and emotional intelligence to see themselves in someone else’s shoes is exactly what we need to combat this problem!

In order to be more inclusive of women in cybersecurity, at least three things need to happen.

First, hiring managers need to expand their criteria and qualifications. Many hiring managers are leaving women and minority candidates on the sidelines by chasing the same resumes, the same degrees and the same alphabet soup of certifications in future employees. While this might be one indicator of a successful hire it is not the only indicator. The best cybersecurity professionals are insatiable learners and highly skilled problem solvers who think about the user while never underestimating the adversary. Take a chance on a different degree and background and invest in cross training. Some of my best cybersecurity team members started out in a different field and are now some of the best, most well rounded cybersecurity professionals we have on the front lines of fighting cybercrime.

Second, an April 2013 survey of Women in Technology, found that 45% of respondents noted a “lack of female role models or [the encouragement to pursue a degree in a technology-related field].” It’s been proven that professional mentorship and development dramatically increase participation in any given field, so the lack of women in cybersecurity is really a compounding problem – we don’t have enough women in cyber because there aren’t enough women role models in cyber. While connecting with other women has had its challenges, there are wonderful women in cyber today… look at KT McFarland, Deputy National Security Advisor and Ambassador to Singapore, and Keren Elazari, a global speaker on cybersecurity and ethical hacker out of Israel. They are rock stars.

I’ve been very lucky to work with wonderful, inspiring women in cyber, but I recognize that my exposure might be more than women starting their career. This brings me to my third point: I recommend all cyber practitioners, and especially women, take advantage of all the amazing free tools out there from RSA, TED talks, and even YouTube. You can watch speeches from veteran cybersecurity professionals about their careers, hear their advice on how to succeed, and learn new skills to keep you competitive in the workplace. Consider free online courses in cybersecurity or popular programming languages like Python. Ask your colleagues to show you their favorite geek gadget or ethical hack. There are some excellent security frameworks and guidance available for free online such as the NIST framework, CIS Critical Security Controls, SSÅE 16, and discussions on GDPR. Leverage social media to hear what’s on the minds of security experts. In this field, be a constant student of your profession.

It’s true there is a shortage of women in cybersecurity but there is not a lack of talented and strong women in this world. Cybersecurity requires a general shakeup and perhaps women are the ones to do it. I’m grateful that I can talk about my industry and I hope more women join this exciting field… and they can even wear their favorite hoodie.

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • LinkedIn
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

Hear why modern day supply chain risk management is requiring new architectural paradigm shift in NVTC’s latest Capital Cybersecurity Summit guest blog by Strategic Cyber Ventures CEO Tom Kellermann. Kellermann will be moderating the What Keeps CISOs Up At Night? panel at the second annual Capital Cybersecurity Summit on Nov. 14-15.


SCV Logo2017 has been a reality check for corporations. The reality is that cyberspace has become a free-fire zone with a multiplicity of actors who are determined to wreak havoc. The dark-side of globalization resides in cyberspace. Corporations are regularly under siege from a multiplicity of threat actors. The cyber arms bazaar that flourishes around the world has allowed for criminals and nations to wage long-term campaigns against corporations and government agencies. These cybercriminals stalk businesses and consumers from the fog of the Dark Web. Evidence suggests that the Dark Web has become an economy of scale wherein the cyber-crime syndicates have begun to target the interdependencies of our networks. 2017 has ushered in a foreboding era of digital colonization of American cyberspace.

As the cybercriminal community burrows into our networks we must appreciate that after the initial theft of data they tend to hibernate. This hibernation allows for secondary schemes of monetization. Some of these criminal endeavors include reverse business email compromise against your customers and/or selective Wateringhole attacks. Cybercriminals realize that there is implicit trust in your brand; trust that can and will be exploited. The modus operandi of cybercriminals has been modernized and thus we should allow their offense to inform our defense.

SCV Image 2In 2017, CSOs must enhance the scope and diligence of their supply chain security assessment. First, security strategies must encompass more than technology vendors. Law firms and marketing firms should be included in all annual security assessments. Second, any merger or acquisition must include a compromise assessment. Such a compromise assessment should include a penetration test from within your network to the outside world. Finally, service level agreements (SLAs) must be modernized to mitigate the cyber threats of 2017, therefore the rigor of the security controls required must encompass elements of intrusion suppression like the proactive use of deception grids and adaptive authentication.

Managing cyber exposures to your supply chain is a function of conducting business in 2017. Beyond mere compliance with existing standards corporations must protect their brand before it is hijacked. Supply chain risk management requires an architectural paradigm shift to intrusion suppression. Modernizing defense in depth will allow an organization to thwart the burgeoning digital invasion of their network. It is imperative that we reevaluate vendor relationships and institute increased safeguards and oversight as information supply chain risk is here to stay. Cybersecurity investment begets brand protection which in turn mitigates third-party risk. Those companies who embrace brand protection as a function of comparative advantage will be better prepared to combat the inevitable attacks that will occur, and will become the titans of industry.

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • LinkedIn
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

Your company has just encountered a data breach? Now what? In NVTC’s guest blog, Veronica Jackson, associate at Miles & Stockbridge, provides immediate steps a company should take upon discovery of a data breach. Jackson will be participating on the Life of a Hack: A Business Survival Guide panel at the Capital Cybersecurity Summit on Nov. 14-15, 2017.


MS Logo (.JPG)In the wake of the latest massive data breach, this one involving Equifax, more and more companies are likely wondering what they should do in the event that they are faced with a data breach that exposes the personal data of their employees or customers. Data security incidents involve complex legal issues that must be navigated carefully to reduce the risk of improper (or unnecessary) breach notification, attention from state and federal regulators, and potential class actions related to the exposure of personal information. There are several key steps a company should take upon discovery of a data breach. While these steps are numbered, many of them must happen both immediately and simultaneously.

First, immediately contact your company’s incident response team pursuant to your Written Information Security Plan (or “WISP”). Second, contact law enforcement and any relevant insurance carriers to assist with coverage of costs for the data breach response effort and to prevent waiver of potential coverage for tardy notice. Third, quickly assess the scope of the breach (i.e., whether the breach is ongoing, whether data was acquired or simply accessed by the hacker, who suffered a breach of their personal information, and what type of information was exposed). Fourth, stop the breach, if possible, through remedial data security measures, possibly with the assistance of a forensic IT consultant to bolster your company’s security systems.

Organizations that have already suffered from a breach especially must consider what additional safeguards (including employee training) should be implemented to avoid another breach in the future. Fifth, analyze data breach compliance requirements by identifying the jurisdictions of residence for the affected population and assessing what notification requirements are triggered by each applicable statute.

Data breach compliance requirements also may be triggered by the regulatory framework covering the type of information that was exposed (i.e., HI-TECH and HIPAA compliance for personal health information). For affected persons residing in Maryland, for example, notification is not required if, after an investigation, the entity determines that personal information has not been or is not likely to be misused (documentation of that conclusion, however, must be retained by the entity for three years). In instances where notification is required, even for just one Maryland resident, notice must first be sent to the Maryland Attorney General’s data breach notification department. In the District of Columbia, on the other hand, there is no “likely harm” exception to notification, and notice to the Attorney General is not required. In instances where 1,000 or more residents are receiving notice at a single time, both Maryland and the District of Columbia require that notice be sent to all nationwide consumer reporting agencies regarding the timing, distribution and content of the notices.

Finally, prepare a data breach response plan that attempts to mitigate potential harm to the affected population and complies with applicable data breach requirement statutes and regulations. Since the Supreme Court’s decision in Spokeo v. Robins attempted (but failed) to clarify the legal standard for what constitutes sufficient harm to a person affected in a data breach for legal standing purposes, a Circuit split has emerged. Because it remains unclear what level of risk for future harm or actual harm is required (short of actual identity theft), efforts to minimize the risk of identity theft and other subsequent harm, as well as providing free preventative services to affected people, are valuable tools that may provide a defense against subsequent litigation stemming from the data breach. Many organizations elect to provide an affected population with identity theft prevention services that monitor their credit and also aid them in any credit repair efforts they may need should they fall victim to identity theft.  Many state attorneys general also look at whether an organization is providing such services to its residents when reviewing data breach response notifications.

This blog was written by Veronica Jackson at Miles & Stockbridge.

 

Opinions and conclusions in this post are solely those of the author unless otherwise indicated. The information contained in this blog is general in nature and is not offered and cannot be considered as legal advice for any particular situation. The author has provided the links referenced above for information purposes only and by doing so, does not adopt or incorporate the contents. Any federal tax advice provided in this communication is not intended or written by the author to be used, and cannot be used by the recipient, for the purpose of avoiding penalties which may be imposed on the recipient by the IRS. Please contact the author if you would like to receive written advice in a format which complies with IRS rules and may be relied upon to avoid penalties.

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • LinkedIn
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

Here on the NVTC blog, we continue to share content from our inaugural Capital Cybersecurity Summit that took place on Nov. 2-3, 2016 at The Ritz-Carlton, Tysons Corner.

1021Capital Cybersecurity Summit Logo 3The 2016 Capital Cybersecurity Summit was highlighted by its keynote speakers:  Northrop Grumman Corporate Vice President and Northrop Grumman Mission Systems President Kathy Warden and RSA President Amit Yoran.

In her keynote, Warden discussed the evolution of cybersecurity as the “Fifth Domain,” a fundamental element, permeating all aspects of our daily lives. She stressed the critical need to fill cybersecurity positions in Virginia and the opportunities for public, private and academic sectors to partner together to find creative solutions to address these hiring shortages. View the full video of Warden’s remarks here:

Yoran reinforced the evolution of cybersecurity in his keynote and, like Warden, referenced the expansion of the cyber threat area into business and our daily lives. He stressed the need to develop new flexible, perimeter-less cybersecurity to meet growing threats from mobile and IoT expansion. Yoran explained that the Greater Washington region, with its unmatched research and expertise, is equipped to meet these new cyber demands. In fact, according to Yoran, the region has the potential to be “Security Valley.” View Yoran’s keynote here:

 

Lights…camera…Cybersecurity Summit! View the Summit’s photo gallery here.

What are you doing on February 15, 2017? NVTC is hosting its first-ever Capital Data Summit in Tysons Corner! Learn more!

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • LinkedIn
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

Here on the NVTC blog, we continue to share content from our inaugural Capital Cybersecurity Summit that took place on Nov. 2-3, 2016 at The Ritz-Carlton, Tysons Corner.

1021Capital Cybersecurity Summit Logo 3Did you catch the Capital Cybersecurity Summit’s opening panel, Collaborating for Cyber Success? Panel participants included Invincea CEO Anup Ghosh, Forcepoint Chief Strategy Officer and President, Federal Division, Ed Hammersla and Tenable Network Security COO and Co-Founder Jack Huffard. Blue Delta Capital Partners Co-Founder Mark Frantz moderated.

The panel highlighted the exponentially beneficial cross-flow between government and commercial cybersecurity and discussed the Greater Washington region’s deep and diverse digital security assets – cutting-edge cyber products, pre-eminent talent and rich intellectual capital – that can be applied in the public and private sectors alike.

One of the reoccurring themes discussed is the need for a public relations paradigm shift when it comes to cybersecurity in the Greater Washington region. Area companies must not only promote their federal clients and solutions, but they must also promote the problems they are solving across all other sectors – and across the globe. The speakers agreed the region’s best cyber asset is the unmatched talent and companies must continuously promote and engage this talent to keep them in Greater Washington.

Panelists also discussed the historical 2016 elections and their cybersecurity implications. In every sector cyber threats are permeating all aspects of business and panelists agreed the future judicial implications of cybersecurity will be huge. After all, according to the panelists, cyber risk is business risk.

Why is now the best time to launch a cyber startup in the Greater Washington region? Check out full video coverage of the panel to find out why:

Read Christian Science Monitor’s Passcode coverage of the panel here.

Lights…camera…Cybersecurity Summit! View the Summit’s photo gallery here.

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • LinkedIn
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

1021Capital Cybersecurity Summit Logo 3We continue to share content from our inaugural Capital Cybersecurity Summit that took place on Nov. 2-3, 2016 at The Ritz-Carlton, Tysons Corner.

The Summit’s engaging Force Multipliers to Future Cybersecurity Panel explored the Greater Washington Region’s unparalleled cybersecurity talent and the cyber workforce gaps that exist in the region. US Cyber Challenge National Director Karen Evans, MACH37 Managing Partner Rick Gordon, MITRE Innovation Area Lead for Cybersecurity Dr. George Roelke and In-Q-Tel Executive Vice President and Director of Cyber Reboot Teresa Shea participated in the panel. Virginia Tech’s Hume Center for National Security and Technology Director Dr. Charles Clancy moderated.

Dr. Clancy opened the discussion by asking panelists what they thought was the region’s biggest cybersecurity opportunity. All panelists agreed – the region’s cyber talent and expertise are unmatched anywhere. Gordon shared that because of its cyber talent, Greater Washington is at the “center of mass” when it comes to cyber innovation, is able to compete on a global level and offer high cyber investment returns.

Shea stressed that entrepreneurs are flocking to the region to join its cyber movement, driven by their passion to solve cyber problems. Shea also noted that the region has some of the top cyber thought leadership, which is helping to fuel cyber investment and recruitment in the region.

The conversation dove deeper into the region’s cyber hiring gaps and strategies needed to combat those gaps. Some key points from the discussion:

  • By 2020, there will be a 1.5 million shortfall of cybersecurity professionals in the U.S.; this cyber hiring gap requires new recruitment promotion tactics
  • New, customized cyber training and job pathways must be created; not all cyber professionals will have the same educational and professional backgrounds. As the business and communications sides of cyber evolve today, not all cyber positions are created the same
  • The opportunity for personal growth in the cyber field, especially in the Greater Washington region, is tremendous; a personalized approach to promoting different cyber career paths is required to recruit the best talent

Dr. Clancy asked panelists which new college cybersecurity courses they think should be required today. Here are their suggestions:

  • Reverse engineering coding
  • Technology for the liberal arts
  • Mandatory cybersecurity training
  • Experiential learning

In promoting the region’s unique cyber assets, especially its talent, the panelists agreed that a fundamental public relations shift is needed. No longer is cybersecurity in the region strictly entrenched in the federal government. Cyber providers in the region are solving a vast range of problems across the public and private sectors for global clients.

As illustrated by the panelists, cybersecurity culture is in its infancy, especially in the Greater Washington region, and its evolution will be extremely exciting to watch – and shape.

Force Multipliers 1 Force Multipliers 2

Check out the full Capital Cybersecurity Summit photo gallery

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • LinkedIn
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

1021Capital Cybersecurity Summit Logo 3Throughout the coming weeks on the NVTC blog we’ll be sharing content from our inaugural Capital Cybersecurity Summit that took place on Nov. 2-3, 2016 at The Ritz-Carlton, Tysons Corner.

One of the Summit’s highlights was the Investment Capital for Cybersecurity Panel, which focused on how to raise sufficient capital to fund promising cyber technologies and applications. The discussion featured Crosslink Capital Venture Partner Matt Bigge, Bessemer Venture Partners Vice President Sunil James, Blackstone CISO Jay Leek and Paladin Founder and Managing Partner Michael Steed. Raymond James Managing Director and Co-Head of Technology & Services Stefan Jansen moderated.

Jansen’s opening question for the investor panelists, “What does it take for cybersecurity startups to matter?” brought to light two themes that emerged throughout the panel: (1) to attract and maintain investors, promising cyber businesses must be inherently committed to innovation; (2) the human capital side of cyber startups and the teams that drive them are as important as the technologies themselves for investors.

Steed shared that he looks to invest in cyber companies that are disruptive in the cyber space and filling a void that solves a distinct cyber problem. James noted that his organization looks for a vitality in startups – energy for innovation that inspires engagement in all ranks of the organization and is infectious.

Bigge noted that his most successful cybersecurity investments have been made in organizations with strong founding teams that are passionate about solving their customers’ problems. Leek agreed, stating that investing in a company’s management team is just as important as the technology itself. Leek encouraged promising cyber businesses to take a deeper look into the efficiency of their operations, a critical factor for investors.

Some of the other noteworthy investment factors panelists shared included:

  • The importance of a quality and diversified revenue base for cyber startups
  • Rising cyber businesses must be able to provide ROI for their products and services after their first year
  • Cyber startups should have the ability to pinpoint opportunities for expansion within their existing customer base

View the full video from the Investment Capital for Cybersecurity Panel below and stay tuned for more Capital Cybersecurity Summit content here on the NVTC blog!

Investment Capital for Cybersecurity Panel Video: 

Check out the Capital Cybersecurity Summit photo gallery!

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • LinkedIn
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

1021Capital Cybersecurity Summit Logo 3Leading up to our Capital Cybersecurity Summit NEXT WEEK on November 2-3, 2016, we’re sharing a weekly roundup of some of the top cybersecurity stories. Here are the last week’s top headlines. Tweet us interesting cyber articles at @NOVATechCouncil.

National Cyber Response Plan + Cybersecurity Strategies:
DHS Races to Get Obama’s Signature on Cyber Response Plan   NextGov

Good Cybersecurity Doesn’t Try to Prevent Every Attack   Harvard Business Review

Why the Auto Industry Is Tapping a Boeing Executive to Lead Its Cybersecurity Group   Fortune

DDoS Attack:
Hobbyist hackers probably caused Friday’s Internet meltdown, researchers say   Washington Post

Cybersecurity Meets Privacy Concerns:
Is Facebook’s Facial-Scanning Technology Invading Your Privacy Rights?   Bloomberg Technology

AI + Cybersecurity:
As Artificial Intelligence Evolves, So Does Its Criminal Potential   The New York Times

Want to learn more about NVTC’s 2016 Capital Cybersecurity Summit and register? Click here or watch the video below. #CapitalCyber

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • LinkedIn
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

Doug Logan, chief technologist at US Cyber Challenge and CEO of Cyber Ninjas, is the author of our latest cybersecurity guest blog post on new approaches to cybersecurity hiring and retaining top cybersecurity talent. US Cyber Challenge’s National Director, Karen Evans, will be speaking on the Force Multipliers to Future Cybersecurity panel at the 2016 Capital Cybersecurity Summit on Nov. 2-3, 2016.


us cyber challenge logoWith over 209,000 vacant cybersecurity jobs in the U.S and job postings up 74% over the last 5 years; it is an understatement to say that cybersecurity is a growth field. Yet with my work with the US Cyber Challenge, I am routinely told by some of America’s best and brightest that they’re having difficulty finding a job. Once a person reaches the six month mark in a cybersecurity role, recruiters will call like crazy. Getting that initial experience is another story. If we’re going to secure our companies and our country, this is a problem we need to solve.

Traditional hiring practices suggest that we find people who have performed the job function in the past. By this measure, studies have shown that fewer than 25% of cybersecurity applicants are qualified to perform the job functions. I’ve actually had even less optimistic results with less than 10% of candidates qualified. In many cases this is despite certifications, or even similar past job experience. The resource pool is simply not large enough to readily find skilled candidates; and those who are skilled are extremely expensive. I’d like to suggest a different approach: hire the inexperienced and train them.

Time and time again I’ve been surprised at how quickly smart, passionate, but inexperienced individuals out-perform more experienced but “normal” candidates. On average I find that the right candidates learn about twice as fast as your typical candidate. This means that at six months in, my passionate candidate is functioning at the one year experience level; and that one year in, they already function at the equivalent of two years of experience. At this pace it does not take long before they surpass those with more experience; and best of all, home-grown talent is more loyal and won’t typically jump ship. But how do you find this talent?

The best way I’ve found to find smart, passionate, individuals who are interested in cybersecurity is taking a look at those candidates who find the time to learn cybersecurity topics even though they are not required to. This is often showcased in resumes that are littered with self-study topics related to the field, or with participating in one of the many cybersecurity competitions available. This list includes Cyber Aces, Cyber Patriot, the US Cyber Challenge and the National Collegiate Cyber Defense Competition. If you want to check out a site that specializes in showcasing this type of talent, this is why the site CyberCompEx was created.

Unlike the inflated prices of experienced cybersecurity professionals, truly entry-level candidates can typically be picked up at a fraction of the cost. However, with this discount in salary you should be planning on spending a good $5,000-$10,000 the first year on investing in their training. In addition, you should be sure to review their performance at the six month mark and bump their pay appropriately at that time. While home-grown talent is less likely to jump ship, you always need to be in the ball park of their current worth.

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • LinkedIn
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

Jack Huffard, president, COO and co-founder of Tenable Network Security, discusses the latest legislation on legacy IT in the federal government in his NVTC guest blog post. Huffard will be participating on the Collaborating for Cyber Success Panel at NVTC’s Capital Cybersecurity Summit on November 2-3, 2016.


jack-huffard-2015-2-webIn government IT, the old adage “if it works, don’t fix it” no longer applies. While legacy systems may still technically be working, they can harbor risky vulnerabilities without vendor support, regular security updates or patch management. This point hit home for many in May when a report from the Government Accountability Office revealed that the country’s nuclear arsenal was still controlled by a system with an 8-inch floppy disk.

More recently, the House Oversight and Reform Committee released its report analyzing the OPM Data Breach that exfiltrated personally identifiable information (PII) of over 4 million government employees and over 21 million more cleared individuals. One of the report’s key recommendations was to modernize existing legacy federal information technology assets to help prevent another such egregious attack.

The Modernizing Government Technology Act of 2016

Earlier this year, to address this urgent situation, two bills were introduced in Congress to help modernize government IT systems – the MOVE IT Act and the IT Modernization Fund. Both bills have since been combined into the Modernizing Government Technology Act of 2016 (the MGT Act). This Act would create individual funds for government agencies and a broader centralized fund to which agencies could apply for financing modernization efforts. The bill states that the funds could be used “for technology related activities, to improve information technology, to enhance cybersecurity across the Federal Government.”

Details of the MGT Act

More specifically, MGT stipulates several areas in which modernization funds can be used, including:

  • Replacing existing systems that are outdated and inefficient
  • Transitioning to cloud computing (using the private sector as a model)
  • Enhancing information security technologies

The Act states that the government currently spends almost 75% of its IT budget (which now totals over $80 billion) on operating and maintaining legacy systems, leaving little left over for modernization efforts. Not only are these systems subject to failure, but as they get older and older, they present greater and greater security risks as well. So it is good to see that the Act encourages not only the simple replacement of agencies’ IT systems, but the addition of cybersecurity technology. Regardless of which new technology is chosen – on-premises, virtual, or cloud-based – there is also a pressing need for better information security solutions for government infrastructures, as evidenced by recent agency breaches.

MGT is unique and different than previous proposals because it does not appropriate funds. Rather, it enables agencies to transfer monies – that they have saved by retiring legacy systems and moving to newer technologies – into individual IT working capital funds. They could then reinvest those funds over the next three years for other modernization initiatives, avoiding the “use it or lose it” cycle.

The Act also calls for a general government-wide IT Modernization Fund. This centralized fund would be overseen by the General Services Administration (GSA) and an IT Modernization Board in accordance with guidance from the Office of Management and Budget. Agencies would apply, and present business cases for access to the funds to modernize their legacy IT infrastructures. The centralized fund would then be replenished with savings from those modernization initiatives.

The 8-member IT Modernization Board would include the Administrator of the Office of Electronic Government, a GSA official, a NIST employee, a DoD employee, a DHS employee, and three tech-savvy federal employees.

Moving forward in the 21st century

The MGT Act was introduced by Rep. Will Hurd (R-Tx.) who is one of the few members of Congress with a computer science degree. It was co-sponsored by Rep. Gerry Connolly (D-Va.) in a welcome display of bipartisan collaboration. The House passed the bill at the end of September 2016. It is now up to the Senate to act on the bill. Prospects for passage are encouraging, and this bill would be a good step towards updating legacy IT systems, strengthening cybersecurity and embracing 21st century technologies.

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • LinkedIn
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS