The government shutdown was on the mind of everyone attending the public sector track of this year’s FOCUS event, McAfee’s annual confab that brings together customers and partners to share best practices and discover what’s new from McAfee.
While the shutdown was disappointing, it didn’t disrupt a spirited dialogue about everything from the NIST cybersecurity framework to Continuous Diagnostics and Mitigation to advocating for cybersecurity investments with government leadership.
A few takeaways from the public sector track:
- The NIST cybersecurity framework is industry’s best shot at collaborating with government to improve the national security posture without heavy handed government regulation. The speakers all agreed that the process so far had been highly productive and collaborative, and the outcome should go a long way toward helping private industry plan for improved security. Senior government officials have been fully briefed and are fully aware of the cyber threat – so if industry and government can’t come up with a workable framework, politicians will feel the pressure to step in with regulation to get the job done. That only raises the cost for all, and forces everyone into a compliance mindset rather than a security mindset, said one panelist.
- Continuous Diagnostics and Mitigation (CDM) – the government’s initiative to help civilian agencies obtain greater visibility into their security postures – should not be perceived as simply a product that agencies will buy and plug in to their security architecture. Rather, it is people + process + tools. In other words, you can’t have successful CDM without also looking at changes to the way IT leaders and workers approach security.
- Not everyone in the decision-making chain understands cybersecurity risk. In fact, many of the higher ups don’t understand it at all. Therefore, said the panelists, security pros in government and those advising government need to make a shift in the way they explain the risk and the required security investment to mitigate it. Rather than talking about the dramatic growth in the number of attacks, for example, talk about the cost impact of the threat of millions of citizen records being hacked. Or talk about the impact on battlefield readiness. The NIST framework should help non-IT decision-makers understand their current security posture, and what’s needed to strengthen it.
Special thanks to all the panelists who contributed their time and public sector cyber security insights at FOCUS. We missed our government colleagues but we look forward to continuing the public-private exchange of ideas in the months ahead.