On March 15, CISQ hosted the Cyber Resilience Summit in Washington, D.C., bringing together nearly 200 IT innovators, standards experts, U.S. Federal Government leaders and attendees from private industry. The CISQ quality measures have been instrumental in guiding software development and IT organization leaders concerned with the overall security, IT risk management and performance of their technology. It was invigorating to be amongst like-minded professionals who see the value in standardizing performance measurement.
IT Risk Management – CISQ Cyber Resilience Summit, Washington, D.C.
The Summit covered topics from the layered cybersecurity defense approach taken by the NSA, to the impact of acquisition policy on the reliability and security of Federal software-intensive systems. I had the privilege of presenting alongside Emile Monette of the U.S. General Services Administration, John Weiler of IT-AAC, and Richard Spires, currently of Learning Tree International and recently CIO of the U.S. Department of Homeland Security.
Our panel was focused on IT Acquisition and driving down cyber risk. As we analyzed the current status quo, we made four key findings:
- Federal acquisition goals differ from those of the Private Sector. While Private Sector companies are more concerned with increasing revenue and reducing inefficiencies, Government acquisition policy is focused on ensuring fairness and providing fiscal stimulus to underprivileged American businesses. This means low cost, secure solutions is not always the primary focus.
- Goals of acquisition and IT teams need to be aligned. In addition to not prioritizing the bottom line, Government IT acquisition leaders and CIOs have different incentives, with CIOs focusing on development and deployment. These groups must align their goals in order to get reliability and security built into the foundation of federal software.
- There is a lack of framework. Current federal guidelines like NIST are useful in establishing cybersecurity standards, but a more specific framework of reliability and security standards, one that can be cited as a requirement is needed to support successful IT Acquisition.
- The Private Sector is beating Federal IT in acquisition practices. Private companies are getting more bang for their buck in acquisition, and shareholders are getting more ROI than the taxpayer.
CAST is working closely with industry groups such as CISQ to implement best-in-class measurement standards that will aid both the private and public sector. The software measurement standards that pertain to software risk and resilience - those focused on the full application and transactions rather than only code quality - are of particular importance to industry.
Poor quality code makes it harder to build onto systems over time, and it exposes software to more threats from hackers. Too often security is not a key factor in the beginning stages of software development, creating a difficult environment to secure and protect.
At CAST, we have established five key measurement qualities: Robustness, Efficiency, Security, Changeability and Transferability. Customers around the globe are identifying and mitigating security flaws before they turn into risks, saving immeasurable time and resources. As we continue to work with our government customers on IT risk management, we look forward to seeing the taxpayer reap the benefits of quality software.