CISQ & IT Risk Management: Minimizing Risk in Government IT Acquisition

Apr 13, 2016 by Lev Lesokhin

6On March 15, CISQ hosted the Cyber Resilience Summit in Washington, D.C., bringing together nearly 200 IT innovators, standards experts, U.S. Federal Government leaders and attendees from private industry. The CISQ quality measures have been instrumental in guiding software development and IT organization leaders concerned with the overall security, IT risk management and performance of their technology. It was invigorating to be amongst like-minded professionals who see the value in standardizing performance measurement.

IT Risk Management – CISQ Cyber Resilience Summit, Washington, D.C.

The Summit covered topics from the layered cybersecurity defense approach taken by the NSA, to the impact of acquisition policy on the reliability and security of Federal software-intensive systems. I had the privilege of presenting alongside Emile Monette of the U.S. General Services Administration, John Weiler of IT-AAC, and Richard Spires, currently of Learning Tree International and recently CIO of the U.S. Department of Homeland Security.

Our panel was focused on IT Acquisition and driving down cyber risk. As we analyzed the current status quo, we made four key findings:

 

  1. Federal acquisition goals differ from those of the Private Sector. While Private Sector companies are more concerned with increasing revenue and reducing inefficiencies, Government acquisition policy is focused on ensuring fairness and providing fiscal stimulus to underprivileged American businesses. This means low cost, secure solutions is not always the primary focus.
  2. Goals of acquisition and IT teams need to be aligned. In addition to not prioritizing the bottom line, Government IT acquisition leaders and CIOs have different incentives, with CIOs focusing on development and deployment. These groups must align their goals in order to get reliability and security built into the foundation of federal software.
  3. There is a lack of framework. Current federal guidelines like NIST are useful in establishing cybersecurity standards, but a more specific framework of reliability and security standards, one that can be cited as a requirement is needed to support successful IT Acquisition.
  4. The Private Sector is beating Federal IT in acquisition practices. Private companies are getting more bang for their buck in acquisition, and shareholders are getting more ROI than the taxpayer.

CAST is working closely with industry groups such as CISQ to implement best-in-class measurement standards that will aid both the private and public sector. The software measurement standards that pertain to software risk and resilience - those focused on the full application and transactions rather than only code quality - are of particular importance to industry.

Poor quality code makes it harder to build onto systems over time, and it exposes software to more threats from hackers. Too often security is not a key factor in the beginning stages of software development, creating a difficult environment to secure and protect.

At CAST, we have established five key measurement qualities: Robustness, Efficiency, Security, Changeability and Transferability. Customers around the globe are identifying and mitigating security flaws before they turn into risks, saving immeasurable time and resources. As we continue to work with our government customers on IT risk management, we look forward to seeing the taxpayer reap the benefits of quality software.

Filed in: Application Quality CAST Events Industry News Risk & Security
Tagged: application security Cast Event CISQ Government IT risk management software risk Software Risk Management
Cloud Smart: How to Ensure an Efficient and Secure Journey
Cloud Smart: How to Ensure an Efficient and Secure Journey
Recorded Webinar
Software Intelligence at the core of M&A Advisory

Erik Oltmans, an Associate Partner from EY, Netherlands, spoke at the Software Intelligence Forum on how the consulting behemoth uses Software Intelligence in its Transaction Advisory services. 

Erik describes the changing landscape of M & A. Besides the financial and commercial aspects, PE firms now equally value technical assessments, especially for targets with significant software assets. He goes on to detail how CAST Highlight makes these assessments possible with limited access to the target’s systems, customized quality metrics, and liability implications of open source components - all three that are critical for an M&A due diligence.

Video Interview
Eliminate vulnerabilities while improving performance
CAST AIP was implemented for a Federal Law Enforcement Agency in the US. CAST AIP helped identify and resolve several critical violations and flaws in the software leading to an immediate saving of ~ $250K in software maintenance.
Case Study
Lev Lesokhin
Lev Lesokhin EVP, Strategy and Analytics at CAST
Lev spends his time investigating and communicating ways that software analysis and measurement can improve the lives of apps dev professionals. He is always ready to listen to customer feedback and to hear from IT practitioners about their software development and management challenges. Lev helps set market & product strategy for CAST and occasionally writes about his perspective on business technology in this blog and other media.
More Posts from Lev >>

Write a review Average rating:
()
Newest on top Oldest on top
Load more reviews
Thank you for the review! Your review must be approved first
You've already submitted a review for this item
|
()