Montgomery County has placed it's bet on cybersecurity, making some ambitious moves to make sure it's a major player in the young and fast-growing industry, that includes converting a biotechnology incubator in Rockville to become the home of the newly formed National Cybersecurity Center of Excellence (NCCoE).
The NCCoE was created under the National Institute of Standards and Technology (a branch of the U.S. Department of Commerce with a large campus in Gaithersburg) to provide solutions to cybersecurity businesses on a national level.
Now that those efforts are coming together, the next step for the county is to foster a relationship not only with Federal agencies and cybersecurity companies but with cybersecurity businesses and other industries from financial to biotechnology. Just like the overarching theme of the event, cybersecurity is affecting all walks of life.
Cybersecurity organizations from the mid-atlantic region, came together Thursday at the University System of Maryland, Shady Grove campus to attend an installment of the NCCoE Speaker Series. Attendees included officials from the Montgomery County and State of Maryland Departments of Business and Economic Development as well as the Director of National Cybersecurity Center of Excellence, Donna F. Dodson who gave the opening welcome.
Janet Levesque, Chief Information Security Officer at RSA which is the Security Division of EMC was the guest speaker at the event, telling a sold out crowd of about 100 about the big shift in understanding the cybersecurity industry — it's not just an IT issue.
Levesque noted that whenever cyber profrofessionals start talking to businesses about information sharing people start getting reluctant to share because they're afraid they might get sued. So her solution was to create a protected group where everyone signs an agreement. “Right now it's a grassroots movement but it's proven to be very effective.” she noted. It's also important to remember that unless you have a good understanding of what a companies critical assets are you can't effectively build an appropriate cyber program to protect those assets. Levesque used to be part of a $75 million software company along route 128 technology hub in the greater Boston area where she helped start an informal information sharing group. “Partnering with people in the same size, scale and vertical that you are in, is something that you can do informally.”
Levesque is also currently working on an annual update on enterprise risk assessment, she's talking to key businesses teams and units to find out what risks they see in their environment. What she found out is that what non-cyber professionals value is at odds with those who are in the field. It wasn't about cybersecurity but risk management but it's important for the two to come together and it cant be piecemeal.
Cindy Faith of Fidelius Strategic Services, a Columbia-based cybersecurity consulting firm that helps small to mid-sized business came to the event not only to network but for more insight to help those types of businesses which tend not to have a regulatory division. Faith said there are new federal regulations in play regarding the safeguarding of unclassified controlled technical information that contractors must adhere to, many have no clue on how to meet them.
Another trend brought up was dashboards, one attendee described his interactions with the board of directors around cybersecurity but was apprehensive about releasing time-lagged information. Levesque said she didn't walk into dashboard issues when starting her role but overtime noticed that “before and after” metrics are pretty compelling; but reporting how many malware attacks were thwarted wont tell C-level management how your program is working. Rather than that, letting them know training employees on the latest technology is more effective and as a bonus — it could also land your department more funding.
Cyber professionals know the one of the most important parts of the job are gaining knowledge, skills and certifications in cybersecurity, Levesque stated there is a lot of information out there to digest but she relies on her in-house research team and certification companies like the Sans Institute; the Bethesda-based company specializing in IT and cybersecurity training. While this is all important she said it becomes less so the farther up the chain you go in your career. “Frankly I would take someone without a certification who has good communication and interpersonal skills over a certified person any day.”