CISQ & IT Risk Management: Minimizing Risk in Government IT Acquisition

Apr 13, 2016 by Lev Lesokhin

6On March 15, CISQ hosted the Cyber Resilience Summit in Washington, D.C., bringing together nearly 200 IT innovators, standards experts, U.S. Federal Government leaders and attendees from private industry. The CISQ quality measures have been instrumental in guiding software development and IT organization leaders concerned with the overall security, IT risk management and performance of their technology. It was invigorating to be amongst like-minded professionals who see the value in standardizing performance measurement.

IT Risk Management – CISQ Cyber Resilience Summit, Washington, D.C.

The Summit covered topics from the layered cybersecurity defense approach taken by the NSA, to the impact of acquisition policy on the reliability and security of Federal software-intensive systems. I had the privilege of presenting alongside Emile Monette of the U.S. General Services Administration, John Weiler of IT-AAC, and Richard Spires, currently of Learning Tree International and recently CIO of the U.S. Department of Homeland Security.

Our panel was focused on IT Acquisition and driving down cyber risk. As we analyzed the current status quo, we made four key findings:

 

  1. Federal acquisition goals differ from those of the Private Sector. While Private Sector companies are more concerned with increasing revenue and reducing inefficiencies, Government acquisition policy is focused on ensuring fairness and providing fiscal stimulus to underprivileged American businesses. This means low cost, secure solutions is not always the primary focus.
  2. Goals of acquisition and IT teams need to be aligned. In addition to not prioritizing the bottom line, Government IT acquisition leaders and CIOs have different incentives, with CIOs focusing on development and deployment. These groups must align their goals in order to get reliability and security built into the foundation of federal software.
  3. There is a lack of framework. Current federal guidelines like NIST are useful in establishing cybersecurity standards, but a more specific framework of reliability and security standards, one that can be cited as a requirement is needed to support successful IT Acquisition.
  4. The Private Sector is beating Federal IT in acquisition practices. Private companies are getting more bang for their buck in acquisition, and shareholders are getting more ROI than the taxpayer.

CAST is working closely with industry groups such as CISQ to implement best-in-class measurement standards that will aid both the private and public sector. The software measurement standards that pertain to software risk and resilience - those focused on the full application and transactions rather than only code quality - are of particular importance to industry.

Poor quality code makes it harder to build onto systems over time, and it exposes software to more threats from hackers. Too often security is not a key factor in the beginning stages of software development, creating a difficult environment to secure and protect.

At CAST, we have established five key measurement qualities: Robustness, Efficiency, Security, Changeability and Transferability. Customers around the globe are identifying and mitigating security flaws before they turn into risks, saving immeasurable time and resources. As we continue to work with our government customers on IT risk management, we look forward to seeing the taxpayer reap the benefits of quality software.

Filed in: Application Quality CAST Events Industry News Risk & Security
Tagged: application security Cast Event CISQ Government IT risk management software risk Software Risk Management
Get the Pulse Newsletter Sign up for the latest Software Intelligence news Subscribe Now <>
Open source is part of almost every software capability we use today. At the very least libraries, frameworks or databases that get used in mission critical IT systems. In some cases entire systems being build on top of open source foundations. Since we have been benchmarking IT software for years, we thought we would set our sights on some of the most commonly used open source software (OSS) projects. Software Intelligence Report <> Papers
In our 29-criteria evaluation of the static application security testing (SAST) market, we identified the 10 most significant vendors — CAST, CA Veracode, Checkmarx, IBM, Micro Focus, Parasoft, Rogue Wave Software, SiteLock, SonarSource, and Synopsys — and researched, analyzed, and scored them. This report shows how each measures up and helps security professionals make the right choice. Forrester Wave: Static Application Security Testing, Q4 2017 Analyst Paper
This study by CAST reveals potential reasons for poor software quality that puts businesses at risk, including clashes with management and little understanding of system architecture. What Motivates Today’s Top Performing Developers Survey
Lev Lesokhin
Lev Lesokhin EVP, Strategy and Analytics at CAST
Lev spends his time investigating and communicating ways that software analysis and measurement can improve the lives of apps dev professionals. He is always ready to listen to customer feedback and to hear from IT practitioners about their software development and management challenges. Lev helps set market & product strategy for CAST and occasionally writes about his perspective on business technology in this blog and other media.
More Posts from Lev >>
Load more reviews
Thank you for the review! Your review must be approved first
Rating
New code

You've already submitted a review for this item

|

Get a Demo    •    Contact Us    •     Support    •     The Software Intelligence Blog    •     Privacy Policy    •     SiteMap    •     Glossary    •     Archive

Copyright 2018 - CAST | All Rights Reserved