I attended an all-boys high school. At 16, we had no idea how to talk to women. It seems OMB is tongue-tied too when it comes to FISMA reform, CyberScope, and chatting up CIOs and CISOs. As the deadline for all agencies to use CyberScope for FISMA reporting looms – November 15, 2010 – it looks like OMB is in serious danger of going to the prom alone. A new MeriTalk study – FISMA's Facelift – reports that as of July 2010, 85 percent of Federal IT security leaders have yet to go on a first date with CyberScope. If beauty is only skin deep, let’s dig beneath the surface. Of the 85 percent “CyberScope virgins,” 72 percent don’t understand CyberScope’s mission and goals – and 90 percent don’t know how to get lucky – they’re unclear on the submission requirements. 55 percent question CyberScope’s economic benefits – asserting it will increase cost. Most damaging, Feds don’t see the value of courting. 55 percent don’t believe CyberScope will improve security oversight and 69 percent are unsure if the new approach will improve Uncle Sam’s cyber security.

"Why are agencies forced to pay twice to C&A systems?" said the exasperated and cash-strapped Federal IT exec. "If agency A wants to use a system from agency B - a system that has already been C&A'd - then agency A needs to pay for a completely new C&A. If we're spending more than 20 percent of our cyber security budget on C&A - and the average C&A costs $167,643 - shouldn't we look for efficiencies?" An observation over lunch was quickly validated by other Feds - IT execs battling with the double-headed budget and security dragon. Curious stuff. The FISMA C&A reciprocity riddle set me on a fool's errand to put a dollar figure on the cost of C&A redundancy. That said, it opened a new window on OMB's lack of transparency - quite astonishing in this era of open government.

Taking a look at the latest quarterly update on security from Symantec, there are still some basic steps that system administrators can do to protect their network and endpoints. These are the low-hanging fruit that can help prevent attacks and comprise of confidential data. Education is still one of the top three returns on investment on the security side. An educated end-user will not click on links in emails that aren’t from trusted parties, open password-protected zip files and run their contents, and question suspicious emails with the help desk. An educated management team understands that Security is not just a line item that can be eliminated or reduced. As treats become more sophisticated at penetrating networks and endpoints, increasingly more sophisticated tools are needed to prevent, find, and remove these threats.

After years of public acrimony and a 6 month trial, San Francisco IT administrator Terry Childs has been found guilty of hijacking the city’s computer system.  Cyber-Ark has always maintained that this was more than simply a case about a rogue employee, but in fact an example of an organizational failure in managing and effectively taking ownership of privileged accounts and identities.  At the end of the

The adaptive nature of threats to information security has proven to be one of the greatest challenges to personal, business, and government adoption of computing in general, and communication of digital information over the public Internet, in particular. Today we are not only concerned with theft of private or sensitive information created and stored on ubiquitous personal computing and communications devices, we also have to be concerned with the security of our information while it is in transit and when it is in storage at its destination.