Listen up cyber startup companies: Greater Washington is the place to be for expansion; that’s according to top cyber CEOs building some of the biggest cyber growth companies today.
The region’s cyber leaders came together on November 15 at NVTC’s second annual Capital Cybersecurity Summitand shared their unique insights into scaling their businesses and their teams into world-class organizations in the Greater Washington region.
Panelists included John Ackerly, CEO and Co-Founder, Virtru; Rohyt Belani, Co-Founder and CEO, PhishMe; Jack Huffard, President, COO and Co-Founder, Tenable; and Tiffany Olson Jones, CEO, Distil Networks. BlueDelta Capital Partners Co-Founder Mark Frantz moderated.
Here are some of the key takeaways from the discussion:
In moving from startup to a growth company, panelists agreed that companies must fully engage their market segments and tighten their focus to ensure they are serving a specific customer need before expanding.
What sets Greater Washington apart from other regions for cyber growth companies? Employees. The region’s talented cyber workforce and its investment in the cyber mission is unmatched anywhere else. The region is retaining top cyber talent too.
Greater Washington must seize the opportunity to attract and retain millennial tech talent, especially in cybersecurity – and can serve as a national example in doing so.
On November 14-15, 2017, NVTC hosted the second annual Capital Cybersecurity Summit at The Ritz-Carlton, Tysons Corner. Grant Schneider, Acting Federal Chief Information Security Officer and Senior Director for Cybersecurity Policy at the National Security Council, provided keynote remarks on November 15.
Schneider discussed the focus areas outlined in the May 2017 Presidential Executive Order on cybersecurity aimed at informing cybersecurity policy on a national scale and strengthening the security of federal networks and critical infrastructure. Schneider shared how building a highly-skilled cybersecurity workforce is a national priority and stressed the need for more cybersecurity education, personal responsibility and empowerment for consumers.
View full video of Schneider’s remarks below as he covers the administration’s cybersecurity focus areas, the government’s transition towards shared services and the latest news around government IT modernization:
Stay tuned for more Capital Cybersecurity Summit content here on the blog!
Beginning in January 2018, the NVTC Tech Talent Initiative will host a series of webinars detailing how you can take advantage of the resources to support the relatively untapped talent pool of individuals with disabilities and Veterans. The webinar series will also address assistive technologies and disability etiquette. Members of your human resource, facilities operations, talent acquisition, diversity and inclusion, training, compliance, and legal departments are encouraged to participate.
Jan. 18: Recruiting, Hiring and Training Individuals with Disabilities 12:00 – 1:00 p.m.
Kathy West-Evans, M.P.A, CRC, Director of Business Relations for Council of State Administrators of Vocational Rehabilitation (CSAVR), will offer information on affirmative action strategies to assist businesses in recruiting, hiring and training individuals with disabilities and Veterans into their workforce. Register here.
Feb. 15: Office Ergonomics, Universal Design and Assistive Technology 12:00 – 1:00 p.m.
Paula K. Marin, OTR/L, Assistive Technology Specialist with CPID, will discuss office ergonomics, universal design and assistive technology within the IT field. Register here.
March 15: Diversity at Work and Disability Etiquette 12:00 – 1:00 p.m.
LaPearl Smith, Business Development Manager with the Department for Aging and Rehabilitation Services, and Diana McBride, Business Relation Specialist with the Department for the Blind and Vision Impaired, will provide information on diversity at work and disability etiquette. Register here.
Learn more about the Tech talent Initiative’s workforce resources and participation opportunities here.
Here on the NVTC Blog, we’re sharing original content and video from the second annual Capital Cybersecurity Summit that took place on Nov. 14-15, 2017 at The Ritz-Carlton, Tysons Corner.
Did you know that 50 percent of cyber job openings in the nation are located in the Greater Washington region? Or that there are over 44,000 cyber job openings in the region?
Organizations are getting creative in sourcing cyber talent in maintain a competitive edge. In fact, the talent shortage is becoming a strategic priority for almost every organization in the cyber sector across the country.
The Capital Cybersecurity Summit’s engaging Unique Ways to Attract Top Cyber Talent panel explored innovative ways companies have overcome the cyber talent gap challenges in their organizations. Panelists included U.S. Cyber Challenge National Director Karen Evans, Northrop Grumman Mission Systems Manager, Strategic Analysis, Initiatives & Operations, Cyber & Intelligence Mission Solutions Brian Loggins, Ishpi Information Technologies, Inc. Executive Vice President and Chief Technology Officer Girish Seshagiri and Cyber Human Capital LLC President and Founder Renee Brown Small. Monster Government Solutions Vice President of Global Strategy and Business DevelopmentSusan Fallon moderated.
Emerging from the discussion were unique ways organizations and HR professionals are sourcing – and upskilling – cyber talent. For example:
Ishpi Information Technologies has created a customized, “dual-model” apprenticeship program that combines specialized cybersecurity curriculum and on-the-job-training. The program also provides students assistance with security clearances beforegraduation, which helps to speed up the often long and tedious clearance process.
Northrop Grumman is partnering with the academic community, especially at the high school level with students interested in STEM, to source talent and engage students earlier in cybersecurity and computer science career paths. Northrop Grumman also offers cybersecurity scholarships at the high school and college level.
Cyber Human Capital’s Renee Brown Small shared that she has found success sourcing cyber talent by working with employees already in an organization who show interest in cybersecurity and upskilling them. Tapping into talent currently in an organization also helps with retention, as employees feel their skills and potential are valued, and that they are being challenged.
U.S. Cyber Challenge is bringing together stakeholders from the public and private sectors to host national cyber competitions to identify emerging cyber talent.
For more strategies and insights around recruiting cyber talent, view the full video from the panel below:
On Dec. 15, the NVTC Small Business and Entrepreneur Committee hosted an exciting Teaming, Partnering and Contracting event at the CIT Building in Herndon. The event focused on best practices for teaming in the government contracting space.
Sixteen companies from the region participated by talking with emerging businesses about how smaller companies can do business with established companies, what types of partners they are looking for and potential opportunities for teaming in the future. Participating companies interested in partnering, teaming and subcontracting with small businesses at the event included AMERICAN SYSTEMS, BAE Systems, Blue Canopy Jacobs, Booz Allen Hamilton, CALIBRE, CACI International, CGI Federal, CSRA, Grant Thornton, MITRE Corporation, Noblis, Northrop Grumman, NTT Data, PwC, SAIC and Serco.
The event also hosted a panel discussion featuring Aronson LLC Principal Consultant Tom Marcinko, The Bridge Host and Moderator Jim McCarthy and SAIC Senior Director, Small Business Development and Utilization Office Michael Townsend. The panel touched on various aspects of teaming in government contracting. Washington Business Journal Editor-At-Large Jennifer Nycz-Conner moderated.
Learn more about the Small Business & Entrepreneur Committee here.
At the second annual NVTC Capital Cybersecurity Summit, I was privileged to moderate an amazing panel discussion on “The State of Cloud Security and Compliance: Dispelling the Myth of Cloud Insecurity.”
What made it so amazing were the panelists who represented the “Big 3” of cloud providers: Susie Adams, Chief Technology Officer, Microsoft Federal; Matthew O’Connor, Security Program Manager for Google Cloud Platform, Google; and Doug Van Dyke, General Manager, Public Sector, Amazon Web Services.
Yes, these three companies are in fierce competition – but, they are also passionate advocates of cloud computing and how it can benefit public and private sector enterprises. That passion really showed throughout our wide-ranging conversation.
During the discussion, the panelists shared why federal agencies, which have been slower than the private sector in adopting cloud computing, despite its advantages in terms of security, cost-effectiveness and capabilities, are now finally picking up the pace on cloud adoption. Our panel noted that NIST Special Publication 800-171, with its emphasis on a common language, has increasingly helped decision-makers better understand the security standards required to operate in the cloud and thus enabled them to make more informed decisions.
Susie Adams of Microsoft stated that “The security paradigm has changed,” because “we are no longer just protecting assets that live behind our firewall…there is now a virtual edge you need to protect.” She added that “Identity is the new firewall, and devices are the new edge.” Another key point Susie made was that, “We are going to need to learn to protect data no matter where it is. If you can make that paradigm shift in your head, then you clearly see cloud providers can give you capabilities you didn’t have before.” I responded by noting that automation is key…it takes the work out of the manual security compliance process and puts it in the hands of the systems.
Currently, some 80 percent of federal IT spending is devoted to maintenance, often of outdated legacy IT systems, which is a massive information security risk. This is compared to 20-something percent for maintenance in much of the commercial sector, where businesses have much more readily adopted the cloud and other such innovative technologies. In our discussion on that issue, Doug Van Dyke of AWS observed that “There is a risk in not adopting these new technologies.” So if enterprises truly want to minimize risk, the cloud should be a means to do so. Susie Adams added that if agencies (and others) are not protecting their infrastructure, they are going to have a breach, and that is “why it’s important for the federal government to take advantage and invest in this new technology.”
Asked to identify what might impede or slow down cloud adoption, Google’s Matt O’Connor named two things – a massive breach that could lead to a more cautious posture vis-à-vis the cloud, and overly burdensome regulation, particularly by other nations. He stressed that governments around the world need to collaborate with, not dictate to, the private sector.
We had a very lively discussion on the responsibilities of customers hosting in the cloud environment. Doug Van Dyke said it is wrong for users to assume that security is someone else’s responsibility in the cloud, which he tied back to educating users. Matt O’Connor summed it up by saying that, in a shared security model, enterprises can look at their cloud security provider as a force multiplier and they should take advantage of what cloud providers have put in place, but they should not neglect their own responsibilities.
We concluded our session with a number of excellent questions from attendees, and Doug Van Dyke summed up the entire discussion best by saying we should mark this date, because we had AWS, Microsoft and Google “all in violent agreement” over the advantages of cloud computing and the need for continued focus on state of cloud security and compliance.
I agreed with that conclusion – to have business rivals all on the same page is memorable. But cloud security and compliance should be an area where there is strong consensus because they are now so intertwined. And I also believe cloud security providers should explore additional methods to further automate security and compliance processes for their customers.
Here’s a link to the entire session (see video below also). I highly recommend it to anyone exploring a move to the cloud who may have some lingering hesitation. It will be worth your while.
On November 14-15, 2017, NVTC hosted the second annual Capital Cybersecurity Summit at The Ritz-Carlton, Tysons Corner. With over 350 attendees, the Summit highlighted the Greater Washington region’s unmatched set of cybersecurity assets. The Summit featured keynote remarks by Howard Marshall, Deputy Assistant Director, Cyber Intelligence, Outreach and Support Branch at the FBI, and Grant Schneider, Acting Federal Chief Information Security Officer and Senior Director for Cybersecurity Policy at the National Security Council. Engaging panel sessions were led by cybersecurity experts from the public, private and academic sectors, and the Summit’s exhibit hall showcased cybersecurity innovators and companies supporting the region’s cybersecurity industry.
Gartner predicts there will be an estimated 8.4 billion IoT devices by 2020. Tenable President, Chief Operating Officer and Co-Founder Jack Huffard discusses how the proliferation of digital assets and connected devices are creating an exposure gap in cyber defense — and shares how organizations can fight back against cyber-attacks. Huffard participated on the Successful Cybersecurity Growth Companies In the Region panel at the Capital Cybersecurity Summit on Nov. 15, 2017.
It’s been more than two years since the Office of Personnel Management (OPM) disclosed one of the largest data breaches in history, but just last week, the agency’s inspector general gave them a failing grade when it comes to critical areas like risk management and contingency planning.
In addition, the data breaches and attacks we’ve recently seen across a variety of industries, including entertainment, critical infrastructure, retail and finance, make it clear that all organizations are still failing when it comes to basic cyber hygiene.
Today, a company’s assets range not just from laptops to servers, but include mobile devices, internet-connected appliances and the cloud. The latest research shows the number of these assets are only going to increase. For example, Gartner predicts there will be an estimated 8.4 billion IoT devices by 2020. And according to a 2016 IDG Enterprise Cloud Computing Survey, 70 percent of organizations already have apps in the cloud and 16 percent more will in 12 months. This modern, elastic attack surface, where the assets themselves and their associated vulnerabilities are constantly expanding, contracting and evolving, has created a massive gap in organizations’ ability to truly understand their cyber exposure at any given time.
Another major component of today’s elastic attack surface is operational technology (OT), particularly given the growth in the risk of cyber-attacks against critical infrastructure sectors. A recent Ponemon Institute study on the state of cybersecurity in the U.S. oil and gas industry found, for example, that OT targets now comprise 30 percent of all cyberattacks. Like cloud and IoT assets, the cyber exposure gap is exacerbated by the mismatch of cyber measures deployed by critical infrastructure companies and the rapid pace of digitization in operations. Operational technologies present an additional challenge – they often can’t be assessed with the same approaches as IT assets, creating blind spots for security operations and compliance teams.
We recently announced a partnership with global engineering and technology leader Siemens that aims to address those unique risks. The product, Industrial Security from Tenable, was designed specifically for industrial control systems and will be delivered through Siemens to give energy and utilities companies full visibility into production networks to reduce compliance risk and their cyber exposure.
Both public and private organizations in every sector need to change their approach to cyber risk to effectively manage their cyber exposure. That starts with understanding and protecting what matters most across their entire attack surface. And it means looking at server and endpoint hardening, IoT discovery and hardening, container and web app vulnerability identification and OT asset and vulnerability detection.
Understanding risk and cyber exposure is also an awareness issue that should start at the top. If the C-suite and board of directors know which areas of their business are secure or exposed, that knowledge can drive strategic business decisions, including where and how much to invest to reduce risk. Attackers will always find the weak link, and right now there are too many weak links – even more than companies are aware of.
This year alone, there were several high-profile, large-scale cyber-attacks, including the NotPetya destructionware, CrashOverride/Industroyer threats to critical infrastructure, and the Reaper IoT botnet. No organization wants to experience one of these security headlines firsthand, which claimed millions of dollars in company damage and compromised sensitive customer data. Only with a holistic approach that starts with basic cyber hygiene – visibility to identify all assets and their vulnerabilities – can companies secure today’s complex attack surface.
Dominion Energy Power Delivery Group Vice-President of Technical Solutions Kevin Curtis shares an inside look into the efforts underway to modernize the smart energy grid in Virginia.
Dominion Energy Power Delivery Group Vice-President of Technical Solutions Kevin Curtis
To find one of the fastest-growing economic engines for the Commonwealth, one needs simply look to the heavens. The ability to unlock the potential of the sun’s energy is powering a boom in clean energy jobs in Virginia and supporting our high-tech economy. Along with this solar expansion comes new challenges for the power grid and new opportunities for power companies to meet 21st century consumer expectations.
In just the past month, Facebook and Microsoft provided examples of how solar power is soaring to new heights in Virginia and powering critical business resources. Facebook announced a $1 billion investment in a data center outside of Richmond, which will include a $250 million future investment by Dominion Energy in renewables in the state. Soon after, Microsoft helped commission the 20-megawatt Remington Solar Facility in Fauquier County with Dominion Energy as part of its own commitment to renewable energy.
That demand is being felt by us at Dominion Energy. I explained on the webinar that solar expansion has occurred faster than we anticipated. The current power grid wasn’t designed for the variability of solar generation and is being stretched by the proliferation of renewables. Power companies are expected to integrate them seamlessly and to do so while maintaining reliability and keeping costs competitive.
Infrastructure improvements are also needed to help harden critical facilities and protect the grid from escalating cyber and physical threats. Secretary Jackson points to several critical government and private sector customers served by Dominion Energy as an example of the role energy company’s play in ensuring public safety.
The key to addressing these evolving challenges is a modern energy grid, which Dominion Energy sees as essential to a stronger, smarter and cleaner energy future. The company is engaged right now in planning a Grid Modernization initiative to adapt to the solar and security challenges, as well as to be better positioned to meet customers’ rising expectations. Residents and businesses expect power that is always on, helpful information on their energy usage and more control over their power bill. Deploying new technology and hardening our system against power outages can satisfy all these needs, if properly executed.
We value all our customers at Dominion Energy and the Grid Modernization initiative is intended to benefit customers of all types. It is a shining opportunity on our horizon to transform our Commonwealth, our energy future and our economy. It provides Dominion Energy a way to improve on its record of safe, reliable, cost-effective power service. It enables the company to meet the demands for more renewable energy and a reduced carbon footprint. And it can continue to fuel clean energy jobs to provide continued growth to Virginia’s high-tech economy.
NVTC’s newest guest blog post from Exostar explains why new government regulations are giving organizations a fresh concern when it comes to cybersecurity. Exostar’s Senior Vice President of Product Development Vijay Takanti will be part of the panel discussion, NIST 800-171: Is the Government Paving the Way for Commercial Security? at the 2017 Capital Cybersecurity Summit November 14-15.
Cybercrime is on the rise, and could cost businesses over $2 trillion by 2019. These losses could be the result of outright theft, lost productivity, impact to customer confidence or costs associated with repairing breaches. But a new, equally ominous risk associated with cybersecurity is emerging for both government contractors and downstream commercial businesses—the risk of losing current and future contracts due to non-compliance with new government standards.
Department of Defense contracts now include a clause, DFARS 252.204-7012, “Safeguarding Covered Defense Information and Cyber Incident Reporting.” The new clause requires contractors (and their extended supply chains) to implement NIST SP 800-171 cyber safeguards by December 31, 2017 – or at least have a coherent plan for doing so.
NIST SP 800-171 is a set of 110 security controls regulating the handling of sensitive (but not classified) data. Most organizations in the aerospace and defense industry are well aware of these standards and their application to the DFARS mandate by now. However, other organizations, who don’t work directly with the government, may get pulled into NIST 800-171 compliance because of the global, multi-tiered nature of prime contractors’ supply chains.
Keep in mind that the supply chain on any given project can include hundreds or even thousands of suppliers who are privy to controlled defense information (CDI). As the volume of suppliers and the information they exchange rises, the more vulnerable they are to cyber-attack and CDI compromise. Even small pieces of information need to be protected at all times.
The NIST 800-171 rules are designed to best protect this sensitive information as it moves across every level of the supply chain. If even one link in the chain is insecure, it could spell trouble for all parties participating on a government program. Officially, the government can start including NIST 800-171 compliance as a requirement for contracts once the rules are in effect. If organizations are not compliant, they will not be able to bid on those contracts, and existing contracts could be in jeopardy.
Organizations that are not compliant with these new cybersecurity controls run the risk of losing out on business, as primes and larger suppliers select preferred vendors who can demonstrate proper cybersecurity hygiene.
The deadline is looming. Mitigate the latest cybersecurity risk by understanding and implementing the NIST 800-171 security controls now, or find a qualified partner to help you do so.