Doug Logan, chief technologist at US Cyber Challenge and CEO of Cyber Ninjas, is the author of our latest cybersecurity guest blog post on new approaches to cybersecurity hiring and retaining top cybersecurity talent. US Cyber Challenge’s National Director, Karen Evans, will be speaking on the Force Multipliers to Future Cybersecurity panel at the 2016 Capital Cybersecurity Summit on Nov. 2-3, 2016.


us cyber challenge logoWith over 209,000 vacant cybersecurity jobs in the U.S and job postings up 74% over the last 5 years; it is an understatement to say that cybersecurity is a growth field. Yet with my work with the US Cyber Challenge, I am routinely told by some of America’s best and brightest that they’re having difficulty finding a job. Once a person reaches the six month mark in a cybersecurity role, recruiters will call like crazy. Getting that initial experience is another story. If we’re going to secure our companies and our country, this is a problem we need to solve.

Traditional hiring practices suggest that we find people who have performed the job function in the past. By this measure, studies have shown that fewer than 25% of cybersecurity applicants are qualified to perform the job functions. I’ve actually had even less optimistic results with less than 10% of candidates qualified. In many cases this is despite certifications, or even similar past job experience. The resource pool is simply not large enough to readily find skilled candidates; and those who are skilled are extremely expensive. I’d like to suggest a different approach: hire the inexperienced and train them.

Time and time again I’ve been surprised at how quickly smart, passionate, but inexperienced individuals out-perform more experienced but “normal” candidates. On average I find that the right candidates learn about twice as fast as your typical candidate. This means that at six months in, my passionate candidate is functioning at the one year experience level; and that one year in, they already function at the equivalent of two years of experience. At this pace it does not take long before they surpass those with more experience; and best of all, home-grown talent is more loyal and won’t typically jump ship. But how do you find this talent?

The best way I’ve found to find smart, passionate, individuals who are interested in cybersecurity is taking a look at those candidates who find the time to learn cybersecurity topics even though they are not required to. This is often showcased in resumes that are littered with self-study topics related to the field, or with participating in one of the many cybersecurity competitions available. This list includes Cyber Aces, Cyber Patriot, the US Cyber Challenge and the National Collegiate Cyber Defense Competition. If you want to check out a site that specializes in showcasing this type of talent, this is why the site CyberCompEx was created.

Unlike the inflated prices of experienced cybersecurity professionals, truly entry-level candidates can typically be picked up at a fraction of the cost. However, with this discount in salary you should be planning on spending a good $5,000-$10,000 the first year on investing in their training. In addition, you should be sure to review their performance at the six month mark and bump their pay appropriately at that time. While home-grown talent is less likely to jump ship, you always need to be in the ball park of their current worth.

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • LinkedIn
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

Jack Huffard, president, COO and co-founder of Tenable Network Security, discusses the latest legislation on legacy IT in the federal government in his NVTC guest blog post. Huffard will be participating on the Collaborating for Cyber Success Panel at NVTC’s Capital Cybersecurity Summit on November 2-3, 2016.


jack-huffard-2015-2-webIn government IT, the old adage “if it works, don’t fix it” no longer applies. While legacy systems may still technically be working, they can harbor risky vulnerabilities without vendor support, regular security updates or patch management. This point hit home for many in May when a report from the Government Accountability Office revealed that the country’s nuclear arsenal was still controlled by a system with an 8-inch floppy disk.

More recently, the House Oversight and Reform Committee released its report analyzing the OPM Data Breach that exfiltrated personally identifiable information (PII) of over 4 million government employees and over 21 million more cleared individuals. One of the report’s key recommendations was to modernize existing legacy federal information technology assets to help prevent another such egregious attack.

The Modernizing Government Technology Act of 2016

Earlier this year, to address this urgent situation, two bills were introduced in Congress to help modernize government IT systems – the MOVE IT Act and the IT Modernization Fund. Both bills have since been combined into the Modernizing Government Technology Act of 2016 (the MGT Act). This Act would create individual funds for government agencies and a broader centralized fund to which agencies could apply for financing modernization efforts. The bill states that the funds could be used “for technology related activities, to improve information technology, to enhance cybersecurity across the Federal Government.”

Details of the MGT Act

More specifically, MGT stipulates several areas in which modernization funds can be used, including:

  • Replacing existing systems that are outdated and inefficient
  • Transitioning to cloud computing (using the private sector as a model)
  • Enhancing information security technologies

The Act states that the government currently spends almost 75% of its IT budget (which now totals over $80 billion) on operating and maintaining legacy systems, leaving little left over for modernization efforts. Not only are these systems subject to failure, but as they get older and older, they present greater and greater security risks as well. So it is good to see that the Act encourages not only the simple replacement of agencies’ IT systems, but the addition of cybersecurity technology. Regardless of which new technology is chosen – on-premises, virtual, or cloud-based – there is also a pressing need for better information security solutions for government infrastructures, as evidenced by recent agency breaches.

MGT is unique and different than previous proposals because it does not appropriate funds. Rather, it enables agencies to transfer monies – that they have saved by retiring legacy systems and moving to newer technologies – into individual IT working capital funds. They could then reinvest those funds over the next three years for other modernization initiatives, avoiding the “use it or lose it” cycle.

The Act also calls for a general government-wide IT Modernization Fund. This centralized fund would be overseen by the General Services Administration (GSA) and an IT Modernization Board in accordance with guidance from the Office of Management and Budget. Agencies would apply, and present business cases for access to the funds to modernize their legacy IT infrastructures. The centralized fund would then be replenished with savings from those modernization initiatives.

The 8-member IT Modernization Board would include the Administrator of the Office of Electronic Government, a GSA official, a NIST employee, a DoD employee, a DHS employee, and three tech-savvy federal employees.

Moving forward in the 21st century

The MGT Act was introduced by Rep. Will Hurd (R-Tx.) who is one of the few members of Congress with a computer science degree. It was co-sponsored by Rep. Gerry Connolly (D-Va.) in a welcome display of bipartisan collaboration. The House passed the bill at the end of September 2016. It is now up to the Senate to act on the bill. Prospects for passage are encouraging, and this bill would be a good step towards updating legacy IT systems, strengthening cybersecurity and embracing 21st century technologies.

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • LinkedIn
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

1021Capital Cybersecurity Summit Logo 3Leading up to our Capital Cybersecurity Summit on November 2-3, 2016, we’ll be sharing a weekly roundup of some of the top cybersecurity stories. Here are the last week’s top headlines. Tweet us interesting cyber articles at @NOVATechCouncil.

IoT:

As cyberthreats multiply, hackers now target medical devices  CNBC

Leaky IoT devices help hackers attack e-commerce sites   CIO

Election:

Connolly: cybersecurity at stake in election  FCW

Government:

U.S. CISO wants to lean on freelance hackers to improve .gov security  FedScoop

CIA Prepping for Possible Cyber Strike Against Russia  NBC

General:

Internet of Things Malware Has Apparently Reached Almost All Countries on Earth   Motherboard

 

Want to learn more about NVTC’s 2016 Capital Cybersecurity Summit? Click here or watch the video below.

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • LinkedIn
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

We’re thrilled to share our latest cybersecurity guest blog post written by Rick Howard, chief security officer at Palo Alto Networks. Howard will be sharing his expertise at the Capital Cybersecurity Summit on November 2-3, 2016 on the CISO Sidebar panel.


Rick Howard HeadshotIn today’s cybersecurity landscape, where attacks are increasing in number and sophistication, the network defense model developed over the past 20 years has become overwhelmed. Commonly referred to in cybersecurity circles as the “Cyber Kill Chain,” the model uses what was originally a military concept to help network defenders find a cyber attack and fix any damage it caused and then track, target and engage with the cyber attacker.

Over time, cyber adversaries’ capabilities grew. Soon, they were routinely finding ways to circumvent the Cyber Kill Chain model. This happened for several reasons:

  • Too many tools for defenders to manage. As network defenders struggled to keep up with evolving cyber attackers, more security tools were implemented on the network, and the man-hours spent ensuring those tools were operating correctly and analyzing the data they provided quickly became a burden with which most network defense teams couldn’t keep up.
  • Too much complexity for security. As new security tools were added, the complexity of the network grew. The more complex the network, the easier it is for network defenders to make a mistake that can expose the network to cyber attacks.
  • Too much wasted time. As vendors launched new security tools, customers entered into a kind of arms race in which they were constantly evaluating new “best of breed” security products against each other to determine which was the most effective. These evaluations could take months, with more time and money wasted after a decision was made in order to remove legacy security tools and replace them with new ones, and then train teams on how to use them effectively. It was a process that became more complex – and expensive – every year as cyber threats evolved and new tools were developed to address them.
  • Too inefficient at crossing the last mile. Cyber attackers often leave clues when they penetrate a network’s defenses, which are called “indicators of compromise.” Once an indicator is found, network security vendors develop prevention and detection controls that address the indicator and deploy them to customers—a process the industry has referred as “crossing the last mile.” But when an indicator affects multiple products from different vendors, or a new indicator of compromise is discovered, keeping track of the status of each tool and whether or not that tool has the most updated controls installed becomes a logistical nightmare.

Much of the complexity that currently overwhelms the Cyber Kill Chain model can be solved with an integrated security platform. “Platform” is a buzzword many vendors use, but I define it as a way to combine tools that network defenders have previously implemented as point solutions from different vendors into a platform built and maintained by one vendor. The “secret sauce” is that integration – when the platform components work together – makes each component more effective as a result of its integration with the others and it makes the network easier to defend by reducing the number of tools to be managed.

More advanced security platforms have the additional ability to automate the deployment of prevention and detection controls, making the process to cross the last mile much less labor-intensive. By replacing an ad hoc collection of independent, patched-together tools with a well-integrated, automated security platform, the problems described above become much simpler to resolve or disappear altogether. Partnering with one vendor gives network defenders leverage in terms of contract negotiations. They can use longer term contracts to get significant discounts from the vendor and, because of that, they can insist on creative fulfillment models that are advantageous to themselves in defending their networks.

The challenge for automated security platform adoption is primarily cultural. Network defenders are familiar with the best-of-breed security tool model, and many see the constant evaluation of new tools as a sort of “survival of the fittest” contest that ensures they’ll find the best tool for their network. It will take a lot of education and mind-changing, a process that may require support from an organization’s board of directors or C-suite, to ensure it happens. But it’s a change that needs to happen in order to protect our way of life in this digital way more effectively and efficiently in the future.


Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • LinkedIn
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

1021Capital Cybersecurity Summit Logo 3Leading up to our Capital Cybersecurity Summit on November 2-3, 2016, we’ll be sharing a weekly roundup of some of the top cybersecurity stories. Here are the last week’s top cyber headlines. Tweet us interesting cyber articles at @NOVATechCouncil.

NSA Contractor arrested; charged with stealing top secret info  Cyber Scoop

How did the Feds Get past Yahoo’s encryption? Yahoo!  Wired

Which country has the most malware-infected devices?  CNBC

Johnson & Johnson warns of insulin pump hack risk  USA Today

Hackers used the IoT to create an unprecedented DDoS attack—Now what?  IOT Journal

Federal cybersecurity workforce should be more than just IT degrees  Federal News Radio

Want to learn more about NVTC’s 2016 Capital Cybersecurity Summit? Click here or watch the video below.

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • LinkedIn
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

This week’s blog is written by Connie Pilot, executive vice president and chief information officer at Inova Health System. Pilot will be sharing her expertise on the “The Coming Storm from IoT” panel at the Capital Cybersecurity Summit on November 2-3, 2016


Pilot_Connie UpdatedWith billions of data-generating devices connected to the Web, the Internet of Things (IoT) is changing the way we do business. No industry is immune, including healthcare. The Food and Drug Administration estimates that 500 million people around the world use some sort of mobile health app on their smartphones and millions more have embraced wearable health technology. Inside the hospital, Internet-connected medical devices such as MRI machines, CT scanners and dialysis pumps provide critical patient monitoring and support and as wireless technology proliferates in healthcare, so too does risk. The Web is fertile ground for stolen medical records, which are now more valuable to hackers than credit cards. Providers must find new ways to secure private data in an ultra-connected world.

The IoT offers important benefits for healthcare delivery and efficiency. It provides new avenues for patient communication, improves patient engagement and compliance, and enhances value-based care and service. At Inova, we use it in many ways: to monitor fragile newborns in the neonatal intensive care unit, control temperature and humidity in the operating room, deliver pain medication post-operatively and measure heart rhythm in cardiac patients, to name just a few. Medical data tracking enables us to intervene when necessary to provide preventive care, promptly diagnose acute disorders or deliver life-saving medical treatment. The benefits extend beyond our hospital walls into the community, where the IoT drives telehealth advancements that improve access for patients, such as virtual visits, eCheck-In, patient portals and electronic health records.

Balancing the benefits of greater connectivity with the need to protect critical data is a growing priority for healthcare providers. Opportunities exist for instilling interoperability and security standards that will seamlessly facilitate the sharing of necessary patient care information, while continuing to safeguard it from cyber-attacks.

Enabling connection and communication among different information technology systems and software applications can be daunting. While healthcare organizations can use proven security protocols in other domains, differences between IoT devices and traditional computing systems pose significant challenges. The IoT introduces innovative technology that requires emergent, often untested, software and hardware. Wearables, such as consumer fitness trackers and smartwatches, are a case in point. They present non-traditional access into the technology environment. While they use existing communication protocols that can be secured, there are challenges with multi-factor authentication and control of the devices in case of loss or theft.

Additionally, with millions of people using wearables, the volume of data generated can easily overwhelm an organization’s network, leaving it vulnerable to a potential denial of service attack. In this scenario, hackers attempt to prevent legitimate users from accessing information or services. Methods must be developed to limit data transmitted from wearables solely to those devices that should be transmitting and solely to information that is required for patient care.

Clearly, developing new methods of securing devices and the information they generate is a formidable task. We are fortunate to do business in an area that is well positioned to tackle this growing cybersecurity threat. With one of the most sophisticated technology workforces in the country, pioneering start-ups, world-class educational resources and a large government infrastructure, the National Capital region stands at the epicenter of innovation, policy and research. Our collective expertise can help us meet healthcare privacy and security challenges, and keep our patients and community safe.

 

Connie Pilot is executive vice president and chief information officer at Inova Health System. As the leader of Inova’s technology services division, she oversees all aspects of technology, including IT applications, change and quality management, information security, enterprise architecture, service delivery and informatics. 

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • LinkedIn
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

This week’s cybersecurity headlines spanned Yahoo’s massive data breach, growing election cyber threats and a major IoT hack. Leading up to our Capital Cybersecurity Summit on November 2-3, 2016, we’ll be sharing a weekly roundup of some of the top cybersecurity stories. Find an interesting cybersecurity article? Share it with us in the comments or Tweet us at @NOVATechCouncil

Want to learn more about NVTC’s 2016 Capital Cybersecurity Summit? Click here or watch our event video below.

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • LinkedIn
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

Recent data breaches – from the telecommunications and healthcare industries to the Office of Personnel Management (whose breach impacted over 4 million people) – have left no industry immune to cyber attacks. NVTC recently published a cybersecurity infographic on the rising impacts of cyber threats and the federal government and Great Washington region’s elevated response to these threats. One of the most astounding statistics highlighted in this infographic is the 2016 federal cybersecurity budget, which increased by $5 billion in the last year alone.

The National Capital region is at the intersection of innovation, policy and research and that is why NVTC is hosting the first ever 2016 Capital Cybersecurity Summit on November 2-3, 2016 at The Ritz-Carlton, Tysons Corner.

This region is THE capital of cybersecurity because it is home to:

  1. One of the most educated cybersecurity and tech workforces in the country (55% of tech openings in Virginia are in cyber!)
  2. A large number of Fortune 1000 companies
  3. An incredible number of startup tech firms and entrepreneurs
  4. U.S. Cyber Command
  5. The Department of Defense and intelligence agencies like NSA and CIA, addressing both defensive threats to our classified information and infrastructure as well as offensive cybersecurity capabilities employed against our adversaries
  6. Political and regulatory infrastructure that addresses policy issues surrounding cybersecurity
  7. Unparalleled research infrastructure through institutions like DARPA, IARPA, ODNI, ARL, AFRL (Did you know – The Internet came out of a government-focused research effort at DARPA?)
  8. World class local universities including George Mason University, George Washington University, University of Maryland, University of Virginia and Virginia Tech
  9. Leading Incubators and investors like MACH37, In-Q-Tel, Carlyle Group, Arlington Capital (46% of Greater Washington venture capital funding supported cyber solutions in 2015!)
  10. An underlying commitment to innovation among all members of our region: private companies, government organizations and universities

We’re just over ONE month to go until the Capital Cybersecurity Summit. Planning is well underway and each week we are announcing new panels and speakers. Click here for the latest agenda and to register.

 

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • LinkedIn
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

No industry is immune to today’s rapidly evolving cybersecurity risks. Learn how to protect your organization’s prized digital assets and become empowered against the latest cybersecurity threats by attending NVTC’s first ever Capital Cybersecurity Summit on November 2-3, 2016 at The Ritz-Carlton, Tysons Corner.

Learn more about the Summit’s keynote speakers, exciting panels with principals from leading cybersecurity companies and academics, and extraordinary networking and business opportunities in our new Summit video:

The Capital Cybersecurity Summit will provide tremendous business development and educational value for NVTC members and the entire Greater Washington technology community, helping to accelerate and promote the region’s innovation, connect people, companies and academic partners, and showcase the region’s technology assets and workforce.

We hope you’ll join us! View the latest Summit agenda and register for this inaugural event here: http://conferences.nvtc.org/

 

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • LinkedIn
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

NVTC has published the first infographic in its new research series. In this cybersecurity-focused piece, we’ll take a look at the data behind the compelling numbers in the infographic.

NVTC July 2016 Cybersecurity Infographic

NVTC July 2016 Cybersecurity Infographic

The Cybersecurity Workforce Capacity Gap

Federal CIO Tony Scott estimates there are currently 10,000 unfilled cybersecurity positions in the federal government alone. Fifty-five percent of NVTC members responding to a recent survey indicated they are attempting to hire cybersecurity specialists this year. This capacity gap also exists in the commercial sector as well. At a fireside chat on May 26, 2016, Virginia Governor Terry McAuliffe indicated that of the 31,000 Virginia IT openings, 17,000 are in the cybersecurity sector. While Greater Washington is likely the cybersecurity workforce capital of the world, we still face a critical shortage of qualified professionals.

The Department of Defense is attempting to upskill 6,200 cyber professionals from active military and 2,000 from the National Guard and reserve units by 2018 and offered up to $50,000 in retention signing bonuses to current military cybersecurity professionals. Further, OPM authorized the U.S. Cyber Command in 2015 to hire up to 3,000 civilian cybersecurity professionals at the highest federal pay grade outside of senior management positions.

Cybersecurity Incidents and Threat Vector Area Increasing

When we take a look at cybersecurity incidents, we find that simple employee mistakes make up a large percentage of our current risk. The March 18, 2016 Federal Information Security Modernization Act (FISMA) report to Congress cited 77,183 information security incidents over the course of Fiscal Year 2015, which represents a 10 percent increase from FY 2014. Of those incidents, 13 percent were lost, stolen or confiscated equipment; 15 percent were driven by government employee error such as internal policy violations and improper usage; 16 percent were not related to IT, such as the loss of paper records. Strikingly, only 56 percent of all incidents represented an external cybersecurity threat.

Fifty-three percent of IT decision-makers in a SolarWinds and Market Connections survey reported that unwitting insider threats – human error – is the most serious cybersecurity threat. OPM Security Operations Manager Jeff Wagner said “I will have a job until the end of time simply because I have users” at a February 2016 cybersecurity conference in Washington, D.C.

The threat vector area continues to increase as well. In a Crowd Research Partners online survey of 882 IT professionals from across the world, 20 percent suffered a security breach associated with a mobile device, 24 percent indicated that an organizational mobile device connected to a malicious server while roaming and an alarming 39 percent of those devices downloaded malware.

According to Craig Williams of Cisco’s Talos Research, an internet scan by Talos revealed approximately 2.1 million systems vulnerable to the JBoss exploit used in common ransomware attacks. And other JMX-based exploits that have been known for more than a year are waiting in the wings to strike systems based on JBoss as well as related systems such as WebLogic, WebSphere, the open source Jenkins automation server and the OpenNMS network management platform. These are cases where simply updating those systems would patch the vulnerability.

Cost of Data Breaches and Intrusions Rising

The Ponemon Institute’s 2015 Cost of Breach Study: United States indicates the average cost of a data breach rose 11 percent year-over-year, to $6.53 million, with an average cost of $217.00 for each lost or stolen record.

In an official statement on the March 2016 MedStar Health hack, an FBI official disclosed that the reported loss from ransomware attacks in 2015 was $24 million. In its 2014 annual report, the FBI’s Internet Crime Complaint Center (IC3) indicated there were 269,422 complaints filed with reported losses totaling over $800 million. IC3 reports 7,694 ransomware complaints with $57.6 million in losses since 2005.

Cybersecurity Spending and Venture Capital Funding on the Rise

The U.S. government spends more than twice as much annually on cybersecurity than the combined public and private sectors of any other nation. The administration’s 2016 budget allocated $14 billion in cybersecurity spending while the 2017 budget submission calls for over $19 billion.

The 2015-2020 federal cybersecurity market is valued at $65.5 billion. Vendor-provided cybersecurity products and services are estimated to grow from $8.6 billion in FY 2015 to $11 billion in 2020 at a compound annual growth rate of 5.2 percent.

2015 venture capital funding in the Greater Washington region reached $647.85 million for organizations with cybersecurity products or services, representing 45.78 percent of the $1.415 billion in total 2015 venture funding in Greater Washington.

Conclusion

While cybersecurity threats and breaches can be devastating, they are also galvanizing for the technology community. Now, more than ever, there is an opportunity for NVTC members to come together and deepen their commitment and influence in driving innovation and workforce development in cybersecurity. NVTC is here to provide its members with the latest cybersecurity developments through research, communications publications, webinars, conferences and advocacy efforts. Stay tuned for NVTC’s upcoming cutting-edge research series that will feature infographics, white papers and reports.

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • LinkedIn
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS