Cyber Resilience Summit Recap
can't manage what you don't measure
In March we held our largest Cyber Resilience
Summit to date in Reston, Virginia. Thanks to everyone who
attended and a special thanks to Don Davidson (DoD OCIO) for serving
as the event emcee! If you missed it or would like to review key
discussion points, read the executive
summary which is detailed with notes and photos. Thanks to
our friends at ANSER for taking notes.
Dr. Dale Meyerrose, USAF ret., former
DNI CIO, delivered a keynote "What's Holding Us Back?"
There is a lot of misinformation about cybersecurity and myths
abound, says Meyerrose. Most
cyber attacks are not sophisticated. 40% of breaches occur through phishing e-mail. Social engineering is still a major method of attack.
Today’s cybersecurity industry ignores the “cyber-attack chain”
and is stuck in the signature-based mentality rut of intrusion detection.
Cybersecurity is not a goal in and of itself; it primarily serves the broader objective of securing the enterprise. Thus, cybersecurity is what you do – not what you
Pictured above is Dr. Dale Meyerrose addressing the
crowd in Reston. “They don’t want your network, they want the stuff that’s in your network. So why are we protecting the network?”
he asks. General consensus is
the need to strengthen the relationship between
software quality, security and resiliency. You can't secure bad code.
Cyber resilience is broader than security. This Meritalk article, Government Cyber Efforts May Focus on Wrong Things,
is a great summary of his keynote.
Dr. Ron Ross from NIST, lead on the Risk Management
Framework (RMF), joined us to discuss NIST's 800-160 security engineering guidebook that
was published in November. He urges organizations to address security throughout their systems engineering processes rather than "bolting on" firewalls, encryption and monitoring systems to operating systems and applications after they are purchased.
John Weiler, IT-AAC Vice Chair, led a power panel on
"Modernizing and Securing Legacy IT" with speakers Jason Hess (NGA), Tony Davis (USCYBERCOM), David McKeown (DISA), Dr. Mitch Crosswait (DoD),
and Dr. J. Brian Hall (DoD). The panelists shared updates from their
respective organizations. The National Geospatial-Intelligence Agency
is moving most of its IT operations to the cloud and looking to
Thanks to co-hosts OMG and IT-AAC, partners OWASP, AFCEA
DC, and CIS, and program sponsors Booz Allen Hamilton, CAST,
Cognizant, Synopsys, Huawei, Ishpi Information Technologies and
Dr. Bill Curtis
Cyber Resilience Summit
6 June 2017 in Brussels,
Complimentary registration. RSVP today: http://it-cisq.org/cyber-resilience-summit-eu-2017/
All are invited to attend CISQ's upcoming Cyber Resilience Summit in
Europe! We're pleased to announce that Dr. J. Michael Gilmore, former Director of Operational Test
Evaluation, U.S. Dept of Defense, now at RAND, will join us in Brussels.
Also invited are participants from NATO and the European Commission
to discuss managing security and IT risk. Leading a panel discussion
is Prof. Georges Ataya from Solvay Brussels School, Academic Director of
Information Security Management Education, Managing Partner ICTC.EU, and Vice
President of the Belgian Cybersecurity Coalition. Matthew Crabbe, Editor of
QA-Financial, will lead a discussion with CIOs and ICT leaders in
Program will focus on:
Software quality standards
Managing technical debt
Risk-managed digital transformation
NIS Directive, EU GDPR, compliance
this on social media!
$50 off OWASP
The event is May 8-12 in Belfast, UK. Apply the code
CISQ is a proud partner of OWASP! CISQ's
Security standard (see OMG®
Automated Source Code Security Measure)
is based on the Top 25 CWEs, OWASP Top
10, SANS Top 25.
Risk and Innovation Summit, April
27 in New York, NY.
May 7-12 in Orlando, FL.
Digital Transformation, May 9-10
in Chicago, IL
AppSec EU, May 8-12 in Belfast,
AFCEA Washington, DC IoT
Summit, May 9
2017: The Ninth International Workshop
on Managing Technical Debt, May
22 in Cologne, Germany.
Agile Dev, Better Software & DevOps
June 4-9 in Las Vegas, NV
CISQ members: Are you interested in
joining a work group to benchmark data on software size, quality, and effort? A
few organizations are interested in teaming up on this benchmarking
effort. Your organization may remain anonymous. If you are interested,
please email firstname.lastname@example.org.
Thank You CISQ