April 2017

Cyber Resilience Summit Recap

You can't manage what you don't measure

In March we held our largest Cyber Resilience Summit to date in Reston, Virginia. Thanks to everyone who attended and a special thanks to Don Davidson (DoD OCIO) for serving as the event emcee! If you missed it or would like to review key discussion points, read the executive summary which is detailed with notes and photos. Thanks to our friends at ANSER for taking notes.

Dr. Dale Meyerrose, USAF ret., former DNI CIO, delivered a keynote "What's Holding Us Back?" There is a lot of misinformation about cybersecurity and myths abound, says Meyerrose. Most cyber attacks are not sophisticated. 40% of breaches occur through phishing e-mail. Social engineering is still a major method of attack. Today’s cybersecurity industry ignores the “cyber-attack chain” and is stuck in the signature-based mentality rut of intrusion detection. Cybersecurity is not a goal in and of itself; it primarily serves the broader objective of securing the enterprise. Thus, cybersecurity is what you do – not what you buy. 

Pictured above is Dr. Dale Meyerrose addressing the crowd in Reston. “They don’t want your network, they want the stuff that’s in your network. So why are we protecting the network?” he asks. General consensus is the need to strengthen the relationship between software quality, security and resiliency. You can't secure bad code. Cyber resilience is broader than security. This Meritalk article, Government Cyber Efforts May Focus on Wrong Things, is a great summary of his keynote.

Dr. Ron Ross from NIST, lead on the Risk Management Framework (RMF), joined us to discuss NIST's 800-160 security engineering guidebook that was published in November. He urges organizations to address security throughout their systems engineering processes rather than "bolting on" firewalls, encryption and monitoring systems to operating systems and applications after they are purchased.

John Weiler, IT-AAC Vice Chair, led a power panel on "Modernizing and Securing Legacy IT" with speakers Jason Hess (NGA), Tony Davis (USCYBERCOM), David McKeown (DISA), Dr. Mitch Crosswait (DoD), and Dr. J. Brian Hall (DoD). The panelists shared updates from their respective organizations. The National Geospatial-Intelligence Agency is moving most of its IT operations to the cloud and looking to re-invent security.

Thanks to co-hosts OMG and IT-AAC, partners OWASP, AFCEA DC, and CIS, and program sponsors Booz Allen Hamilton, CAST, Cognizant, Synopsys, Huawei, Ishpi Information Technologies and Advanced Onion.

Dr. Bill Curtis
Executive Director


Brussels Event Invitation

Cyber Resilience Summit
 6 June 2017 in Brussels, Belgium

Complimentary registration. RSVP today: 

All are invited to attend CISQ's upcoming Cyber Resilience Summit in Europe! We're pleased to announce that Dr. J. Michael Gilmore, former Director of Operational Test and Evaluation, U.S. Dept of Defense, now at RAND, will join us in Brussels. Also invited are participants from NATO and the European Commission to discuss managing security and IT risk. Leading a panel discussion is Prof. Georges Ataya from Solvay Brussels School, Academic Director of Information Security Management Education, Managing Partner ICTC.EU, and Vice President of the Belgian Cybersecurity Coalition. Matthew Crabbe, Editor of QA-Financial, will lead a discussion with CIOs and ICT leaders in Europe. 

Program will focus on:

  • Software quality standards

  • Managing technical debt

  • Risk-managed digital transformation

  • NIS Directive, EU GDPR, compliance

Share this on social media!

Save $50 off OWASP AppSec EU

The event is May 8-12 in Belfast, UK. Apply the code CISQ201750 at registration.


CISQ is a proud partner of OWASP! CISQ's Security standard (see OMG® Automated Source Code Security Measure) is based on the Top 25 CWEs, OWASP Top 10, SANS Top 25. 



Upcoming Events 

Software Risk and Innovation Summit, April 27 in New York, NY. 

STAREAST, May 7-12 in Orlando, FL. 

Forrester Digital Transformation, May 9-10 in Chicago, IL

OWASP AppSec EU, May 8-12 in Belfast, UK

AFCEA Washington, DC IoT Summit, May 9 in DC

MTD 2017: The Ninth International Workshop on Managing Technical Debt, May 22 in Cologne, Germany. 

Agile Dev, Better Software & DevOps West, June 4-9 in Las Vegas, NV

CISQ members: Are you interested in joining a work group to benchmark data on software size, quality, and effort? A few organizations are interested in teaming up on this benchmarking effort. Your organization may remain anonymous. If you are interested, please email


Thank You CISQ Sponsors

About CISQ
The Consortium for IT Software Quality (CISQ) is an IT industry leadership group comprised of IT executives from the Global 2000, system integrators, outsourced service providers, and software technology vendors committed to introduce computable metrics standards for measuring software quality and size. CISQ is a neutral, open forum in which customers and suppliers of IT application software can develop an industry-wide agenda of actions for improving IT application quality and reduce cost and risk. 

By accepting this email and not responding with an unsubscribe request, you have consented or "opted in" to receive additional correspondence and promotions from OMG and its associated partners and sponsors. Should you wish to opt-out in the future please visit