Government Information Security Podcast

Larry Kettlewell is Kansas' chief information security officer, but has no direct authority over individual state agencies' implementation of IT security. But Kettlewell isn't without influence. He chairs the state IT Security Council and heads the Department of Information Services and Communication's Enterprise Security Office, which coordinates incident response and oversees the state's IT infrastructure as it relates to security. In an interview with GovInfoSecurity.com, Kettlewell discusses: Kansas' uncommon approach to IT security governance; Major obstacles the state faces in securing IT; How cybersecurity policy being developed in Washington will have an impact on states; and Challenges in recruiting an IT security workforce. Eric Chabrow, GovInfoSecurity managing editor, interview Kettlewell.

If the choice were between an intriguing job or higher a higher salary, what would you choose? Minnesota Chief Information Security Officer Chris Buse thinks many information security pros would choose the challenge over money. The ranks of state IT security employees has a number of people who were attracted to government service by the challenges of creating and maintaining secure IT in an environment that most businesses cannot replicate, says Buse, in the second of a two-part interview with Information Security Media Group's GovInfoSecurity.com. Buse describes government work as "a feel-good job," especially for those who have spent years "grinding out money for the stockholders. ...We have a lot of people who have done some pretty remarkable things in their career, but come in here and took pay cuts to be part of our organization." In the interview, Buse explains how he's looking to find bright, talented computer science graduates from regional universities to join the state's IT security team. He a

Interview with Chris Buse, Minnesota Chief Information Security Officer Minnesota, like nearly all other states, can't count on overflowing coffers to fund fully crucial programs, such as IT security. But Chris Buse, Minnesota's chief information security officer, says limited funds is no excuse for not properly safeguarding the state's information assets. "Absolutely not," Buse responded to a question about whether sufficient funds exist to fully secure IT. But it's incumbent on government leaders like Buse to figure out how to work with one another to stretch those dollars to provide the security the state needs. "It's difficult, especially if you're a taxpayer to hear somebody in government say, 'Oh, that's not enough money to provide adequate security,'" Buse said in an interview with Information Security Media Group's GovInfSecurity.com. In the interview, the first of two parts, Buse also addresses efforts to shift to a hybrid IT security management approach from a decentralized one while allowing ag

Interview with National Science Foundation CIO George Strawn It's not too often you find an IT leader praising FISMA, but National Science Foundation CIO George Strawn says his agency has made great strides in securing IT by following Office of Management and Budget guidance on the Federal Information Security and Management Act. "We've had A's and A-pluses for the last two or three years from the congressional grading of the results from FISMA," Strawn says, in an interview with Information Security Media Group's GovInfoSecurity.com "Does it work? If you think that FISMA means certify and accredit of all of your information systems, you can make it a paper process that is nothing but bureaucratic, and really doesn't improve the security for much. "I suppose we spent little more on C&A process than they were worth. but since we take security seriously and have a multi-dimensional security process, overall we're pretty satisfied with the requirements that have come down form OMB-land to us. Some of them m

A veteran cybersecurity pro, Shane Sims shares his insights on trends he's seeing as cybercrime continues to hit all companies, including financial institutions. Sims is currently a Director in the Forensic Services practice at PricewaterhouseCoopers, where he provides investigative, forensic technology, security incident response and cyber security services to commercial and government clients. He is a former FBI Supervisory Special Agent who specialized in cybercrime, digital evidence, computer exploitation, and network surveillance. Listen to this podcast and hear Sims insights on: Who's hitting financial institutions with cybercrime activities; Why just having an incident response plan isn't enough; What needs to happen and (what shouldn't be done) when a breach occurs.

Jim Harper contends cyber terrorism does not exists, believing it's a creation of politicians, government contractors and pundits who try to make the problem of securing government IT bigger than it really is. Simply, it's a scare tactic. "Cyber terrorism, in particular, cannot exist," says Harper, director of information policy studies at The Cato Institute, a libertarian think tank. "I think there's no such thing as cyber terrorism because cyberattacks can't cause terror. They don't scare us, and that's an essential element of terrorism as the name implies." In an interview with Information Security Media Group's GovInfoSecurity.com, Harper also: Analogizes the digital world with the real world, and as everything in the real world isn't secured, not all things in cyberspace must be safeguarded, too. Proposes IT vendors assume more responsibility - and liability - for the products they sell in event of cyberattacks, even if that should raise the price of wares the government, businesses and consumers pay

Information assurance is what everyone is talking about these days, and the term is strongly associated with "excellence" at the University of Dallas. Listen to Dr. Brett J.L. Landry, Director of the school's Center for Academic Excellence, Information Assurance, discuss: What make's the school's program unique; How students maximize their education; The future of information assurance education. Landry is the Ellis Endowed Chair of Technology Management, Associate Professor and Director of the Center for Academic Excellence in Information Assurance at the University of Dallas. He joined the University of Dallas in the fall of 2006, following six years of teaching at the University of New Orleans. He has worked in network security and design in the private and public sector and earned his Ph.D. from Mississippi State University. Landry has published numerous journal articles on Information Technology in the ACM Journal of Educational Resources in Computing (JERIC), Communications of the ACM (CACM), Dec

It's a marriage made in heaven, if your the tropical island of Oahu as paradise. In 2005, newly elected Honolulu Mayor Mufi Hannemann assembled the city's public safety and IT officials together to develop an integrated security program, forming a public safety oversight committee, chaired by chief information officer Gordon Bruce. "Anything that has to deal with security; anytime the issue of security came up, we put it on the list," Bruce says, in an interview with Information Security Media Group's GovInfoSecurity.com. "We took an entire, enterprise approach." Bruce spoke with GovInfoSecurity.com's Eric Chabrow about the benefits of linking governmental physical and IT security.

Securing innovative technology is admirable, but if you don't get the basics right, then an organization cannot truly secure its information technology. That simple belief is at the foundation of IT security efforts at the National Aeronautics and Space Administration (NASA), as articulated by Jerry Davis, NASA's deputy chief information officer for IT security. As NASA consolidates its IT infrastructure - active directory, IP address management and e-mail, to name a few - its security team is actively involved. "Security doesn't function on its own in silos," Davis says in an interview with Information Security Media Group's GovInfoSecurity.com. "Managing better IT in that regard helps us better to manage security as well." Davis also discusses the need for NASA to attract more highly skilled IT security practitioners, especially those with forensic experience, and secure new technologies such as iPhones that employees like to use. Davis was interviewed by GovInfoSecurity.com's Eric Chabrow.

Risk management is a common theme across and within businesses, and at North Carolina State University the Enterprise Risk Management (ERM) program is attracting notice from prospective employers and students alike. Mark Beasley, head of the school's ERM initiative, discusses: What makes the program unique; The types of students entering and graduated from the initiative; How to approach a career in ERM. Beasley is the Deloitte Professor of Enterprise Risk Management at the College of Management at North Carolina State University in Raleigh, North Carolina. The Enterprise Risk Management (ERM) Initiative at NC State provides thought leadership about ERM practices and their integration with strategy and corporate governance. As founding director, Dr. Beasley leads the ERM Initiative's efforts to help pioneer the development of this emergent discipline through outreach to business professionals, with its ongoing ERM Roundtable Series and ERM Executive Education for boards and senior executives; research, a

When a consortium of federal agencies and private organizations circulated among federal agencies earlier this year the Consensus Audit Guidelines, the IT security team at the State Department mapped these 20 most critical cybersecurity controls against security incidents reported by State to the Department of Homeland Security. John Streufert, deputy chief information officer and chief information security officer at the State Department, in an interview reveals the results of the match and explains how that knowledge helps the department secure its worldwide IT systems and networks. In addition, Streufert discusses a new grading system employed by State aimed at reducing systems and network vulnerabilities. Streufert, in an earlier interview, discussed the department's Risk Scoring Program, which is aimed at pinpointing and correcting the worst vulnerabilities on any particular day on any of its worldwide systems and networks. (Click here to listen to that interview.). Streufert spoke with Information Se

To get a peak as to how IT security will be measured after FISMA, take a look at what's happening at Foggy Bottom. The State Department in 2006 instituted its Risk Scoring Program, which is aimed at pinpointing and correcting the worst vulnerabilities on any particular day on any of its worldwide systems and networks. John Streufert, the State Department deputy chief information officer and chief information security officer, says in an interview with GovInfoSecurity.com that the daily monitoring of IT vulnerabilities under Risk Scoring truly measures systems and network security as compared with the once-every-three-year assessment required by the Federal Information Security Management Act of 2002. Because of Risk Scoring, overall risk on State's key unclassified network has plunged by more than 80 percent in the past year. As lawmakers craft legislation to upgrade to FISMA, expect to see a program like Risk Scoring incorporated in it. Streufert spoke with Eric Chabrow, GovInfoSecurity.com managing ed

Interview with Deborah Frincke of the Pacific Northwest National Laboratory. Deborah Frincke is leading a team of computer scientists at the Pacific Northwest National Laboratory, one of nine Department of Energy national labs, to find new ways to defend government IT systems. In an interview with the Information Security Media Group, Frincke describes four areas of research and development being conducted at the Richland, Wash., labs: Adaptive Systems that preserve the intended mission of the systems regardless of attempts at manipulation; Cyber Analytics that provide a broader context for decision making; Predictive Defense that supports strategic and tactical decisions in preserving the long-term soundness of the infrastructure; and Trustworthy Engineering that establishes and maintains security goals. Frincke spoke with Eric Chabrow, managing editor of GovInfoSecurity.com. (A summary of the lab's R&D activities can be found here: i4.pnl.gov.)

Audit and enterprise risk - they're inextricably linked. As cyber threats grow - from the inside and out - require organizations and their regulators to pay closer attention to technology and information security. What are some of the key audit and risk trends to track? David Melnick of Deloitte answers that question in an interview focusing on: Top challenges for financial institutions and government agencies; Successful strategies being deployed to mitigate threats; Trends organizations should track as they eye 2010. Melnick is a principal in security and privacy services within the audit and enterprise risk services practice in the Los Angeles office of Deloitte and brings more than 17 years of experience designing, developing, managing and auditing large scale secure technology infrastructure. Melnick has authored several technology books and is a frequent speaker on the topics of security and electronic commerce.

From his perch as executive director of (ISC)2, the not-for-profit certifier of IT security professionals, and as the former CIO at the Interior Department, Hord Tipton has a close-up view on what works and doesn't work in regards of training government employees on information security awareness. In an interview with Information Security Media Group's GovInfoSecurity.com, Tipton discusses the: Need to provide federal employees awareness training more often than once a year because of the ever-changing challenges IT security presents; Challenges the government faces in hiring qualified cybersecurity practitioners even if there aren't enough applicants with IT security certification; and Expansion of information security awareness beyond government agencies and establishing programs in elementary and secondary schools. Tipton spoke with Eric Chabrow, managing editor of GovInfoSecurity.com.

Ari Schwartz wants you to help draft the new federal Privacy Act, and he's providing the tool for you to do that. Schwartz is vice president and chief operating officer of the public interest group Center for Democracy and Technology, which has on its site, at eprivacyact.org, a wiki in which cybersecurity professionals are proposing language on how the 35-year-old law should be upgraded. Schwartz hopes to send lawmakers CDT's final draft by the end of June, so legislation could be introduced by Independence Day. The law has not kept up with technology, such as data mining. Also, Congress enacted the original act years before anyone even heard of the Internet technology that easily makes sharing of information, which proves problematic. Schwartz spoke with Information Security Media Group's Eric Chabrow about the changes he sees the Privacy Act needs and how the wiki works and who is using it.

With the Obama administration's focus on cybersecurity, this is a good time to start or move into an information security career. And Regis University in Colorado is one institution offering state-of-the-art education for undergraduates and graduates alike. In an exclusive interview, Daniel Likarish, faculty of the Regis University School of Computer & Info Sciences, discusses: The information security programs at Regis University; The unique types of students enrolled in these programs; Job placement and opportunities in business and government. Regis University, with nearly 16,000 students, comprises Regis College, College for Professional Studies and Rueckert-Hartman College for Health Professions. The University is recognized by U. S. News & World Report as a Top School in the West and is one of 28 Catholic Jesuit colleges and universities throughout the United States. Regis University is located at 3333 Lowell Blvd. at 50th Street in north Denver. In addition to its north Denver Lowell campus, the U

Cybersecurity isn't getting as much publicity in and around Washington as it did a month ago, when speculation was hot about what was in White House adviser Melissa Hathaway famous 60-day review of federal government cybersecurity policy and President Obama announced he intends to name a cybersecurity coordinator. But, as Jim Flyzk says in this interview conducted Friday, June 12, much action is occurring behind the scenes, at government contractors with designs to win an expected increase in the number of federal cybersecurity contracts and along the corridors of the White House and Capitol as officials prepare for a sea change in the way the government addresses information security. One thing is for certain, Flyzk says, cybersecurity is now a crucial topic that won't be ignored. Flyzk, if anything, is as well connected as anyone in Washington's government IT community. He spent 27 years in government, most notably as chief information officer of the Treasury Department and White House IT advisor on ho

On Thursday, the World Health Organization declared the H1N1 virus to be the first global pandemic in over 40 years. In an exclusive interview, pandemic expert Regina Phelps explains exactly what this means, discussing: How organizations should respond to this announcement; Lessons learned so far from the H1N1 experience; What to expect - and how to respond - in the coming weeks. Phelps is an internationally recognized expert in the field of emergency management and continuity planning. With over 26 years of experience, she has provided consultation and educational speaking services to clients in four continents. She is founder of Emergency Management & Safety Solutions, a consulting company specializing in emergency management, continuity planning and safety.

After nearly seven years as Michigan chief information security office, Dan Lohrmann got promoted earlier this year to the post of state chief technology officer. But despite new responsibilities, Lohrmann remains a key knowledge center on how Michigan handles information security. Lohrmann, in an interview, says preventing data loss is among the biggest IT security challenges the state faces. Speaking with Information Security Media Group's Eric Chabrow, Lohrmann compares how the state governs cybersecurity with that of the federal government, and in many respects, it's not much different. Michigan relies on the Federal Information Security Management Act and guidance from the National Institute of Standards and Technology to keep state IT safe. One advantage, Lohrmann concedes, the state has over its federal counterparts: Michigan isn't graded on compliance by the Office of Management and Budget.