Source: Blog | Brian O’Donnell | September 2, 2016

The Symantec Government Symposium held in DC on August 30th brought together the best cybersecurity minds in government and in the industry to discuss a variety of topics which all ultimately had one core theme: the ability to gain intelligence from security data to stay agile and smart against today’s evolving threat landscape. The topics of conversation during the keynote presentations, TECHTalks, and breakout sessions can be broken down into three major categories with actionable items for government to improve their cyber posture.

Education for Employees

Multiple experts and thought leaders from industry and government discussed the importance of employee education, both for the next generation of cybersecurity professionals still school and for current employees. Beth Cobert, the Acting Director of OPM, broke down the cybersecurity human capital strategy into 4 pillars:

  1. Data Analytics: Increase the accuracy of the cybersecurity workforce and effectively conduct workforce planning
  2. Talent Pipeline: Reach out to both large and small K-12 education systems to foster a more inclusive and robust cybersecurity curriculum
  3. Recruit & Hire: Engage in both government-wide and agency specific efforts to increase cyber recruitment and make federal employment opportunities more appealing for cybersecurity talent
  4. Talent Development & Retention: Promote retention through high quality trainings that are uniform throughout the public sector

Cobert also emphasized the need for rotational programs in entry level positions to increase their experience and knowledge, thus increasing employees’ usefulness. But the need for continued education isn’t only for new professionals or students; current cybersecurity specialists need ongoing trainings too. The Cyber Intelligence and Action panel agreed that today’s software developers and cyber officers need to work together to write more secure code. Non-cyber employees also need education on security best practices, like how to spot a phishing scheme, to significantly reduce the risk of internal threat from simple human error. In sum, cybersecurity education is not only important for non-cyber employees and cyber specialists, but also for today’s developers who can mitigate risk before it occurs.

Importance of Information Sharing

Throughout the day, the significance of sharing data security intelligence between agencies, as well as between private and public sector organizations, became clear. Information sharing amongst all parties has historically helped agencies maintain and develop their cyber posture. Panelists, like Gregory Touhill, Deputy Assistant Secretary for Cybersecurity and Communications at the Department of Homeland Security, noted that it’s important to know what is happening in your own cyber neighborhood and backyard to gain situational awareness and make more informed decisions. To that point, the Cyber Intelligence and Action panel cited the Australian government as an example for the United States to model itself after. Australia has made it a priority to make relevant cybersecurity data available to the private sector (after first sanitizing and removing sensitive information), and the private sector then make their data available to the public sector in return. Each group learns from the mistakes of the other and can develop best practices and new strategies that serve the interests of both sectors.

Privacy vs. Security

The issue of data privacy versus data security was widely discussed and proved to be a point of great contention throughout the day. During his morning keynote, FBI Director James Comey discussed the importance and advantage of citizens surrendering some of their privacy for the increased security of the nation. He warned against the dangers of “going dark,” or the increasing inability of judicial authority to gain access to important information on a personal device

On the other side of this argument was Nuala O’Connor, President and CEO of the Center for Democracy and Technology, and Jane Holl Lute, Director and CEO of the Center for Internet Security. O’Connor feels the government does not need to have such a direct access to information and devices in order for national security and cybersecurity to be strong. Lute echoed this argument by proposing the idea “Nothing about me, without me,” suggesting that users should be involved in any decisions or action happening around their personal data. While neither Comey’s nor O’Connor’s or Lute’s arguments are more correct than the other, these propositions and suggestions on how to handle the huge amounts of citizen and agency data represent a very popular, though somewhat controversial topic, in the current cybersecurity conversation.

The Symantec Government Symposium offered a platform for cybersecurity leaders to tackle the tough conversations surrounding today’s cybersecurity challenges. The program kept dialogue open about how to continuously improve our cybersecurity best practices to stay smart against today’s threats. To learn more about this year’s Symposium, check out theevent website or the hashtag #SymGovSym on Twitter. For more information about the current internet threat landscape, read Symantec’s latest Internet Security Threat Report.