Episode 2 Bruce Brody of Cubic Cyber Solutions


Published on

In this episode, Jeff Williams interviews Bruce Brody of Cubic Solutions, a leading provider of specialized systems and services in the rapidly changing world of technology. They examine the relationship between federal cybersecurity rules and regulations, and how workforces can stay on top of educating their employees regarding the changing threatscape.

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Episode 2 Bruce Brody of Cubic Cyber Solutions

  2. 2. JEFF WILLIAMS “How is application security different in the government sector versus the commercial sector?”
  3. 3. BRUCE BRODY “In the government sector, there’s a tremendous amount of interest in the security of an application when it comes to a variety of different operating environment…e.g. Classified vs Unclassified operating environments.”
  4. 4. BRUCE “If it’s going to be in a classified environment, then some very rigorous tests and evaluation need to occur before that application is approved…in unclassified environments, the application does have to withstand some scrutiny and some testing, but it’s not nearly as rigorous.”
  5. 5. JEFF WILLIAMS “I was under the impression that most applications had to get their code reviewed. Is that true for most application, or just a subset?”
  6. 6. BRUCE “Well, a subset operates specifically in very sensitive and classified environments. …an unclassified environment has to go through and Authority to Operate process…and that’s a little less scrutiny on the application and more on the system level performance.”
  7. 7. JEFF “Have you noticed a change in software development in government to more ad-hoc, DevOps-style software development?
  8. 8. BRUCE “Like all programs in government, the intent is there to move in that direction…there are some things going on with the Department of Homeland Security and across various agencies to put some good processes, some better processes, more agile processes in place. Those are moving along.”
  9. 9. JEFF “I’ve seen you’ve written that “there’s no longer any reasonable argument regarding whether or not continuous monitoring is the right move for federal departments and agencies. Why do you think continuous monitoring is so important?”
  10. 10. BRUCE “The government has long had an approach where periodic monitoring was okay [and] periodic scanning doesn’t give you the ability to take a look at a system that’s constantly changing and say if it’s as secure as when you originally authorized it to operate.”
  11. 11. BRUCE “You need to turn periodic into a continuous look at these systems, so that you know that the controls you have put in place to elevate the security level of the systems are continuously in place and operating accordingly.”
  12. 12. JEFF “If you want to actually do [application security] and keep things secure, you’ve got to be doing it continuously.”
  13. 13. BRUCE “It’s a 24/7, 365 kind of approach to security that will [cause] the overall security posture of the federal government to improve.”
  14. 14. JEFF “What about the expense of doing things continuously?”
  15. 15. BRUCE “Well, some people have argued that it takes a lot more money to do application security continuously. But if you do it right, continuous monitoring can actually save you money.”
  16. 16. BRUCE “You’re fixing things before they happen. You’re anticipating. You’re being proactive.”
  17. 17. JEFF “What do you think the effect of continuous security is on the culture of security within a large organization?”
  18. 18. BRUCE “Continuous monitoring puts you on proper footing when it comes to dealing with the risk management profile of an organization. … and when you’re operating on the continuous kind of mode, you’re operating in a mode that keeps everybody alert, awake, alive, and very well tuned-in to the kind of problems that need to be thwarted on a regular basis.”
  19. 19. JEFF “Let’s talk about enterprise-wide impacts on the cultural impact of continuous application security.”
  20. 20. BRUCE “The Department of Defense has actually put some fairly serious directives in place in terms of how to keep the workforce fresh and skilled. And those people who have specific cyber- security responsibilities must have a certain specific qualification.”
  21. 21. JEFF “Back [20 years ago] security was much more positive and driven from overall goals. In the last ten years, I think they’ve taken more of a negative approach to security, like, ‘We’ll pentest to find holes and then say something’s secure.’ How do you feel assurance has evolved?”
  22. 22. BRUCE “You’re right. Nowadays it seems to be about over-emphasizing problems. …the fact of the matter is, we have taken more of a serious kind of a danger approach to the problem these days.”
  23. 23. JEFF “Do you think we’ll every get back to the point when assurance is actually something people care about? I would say the only confidence we have in our systems, and particularly our software, is that they haven’t been hacked yet, which really is a weak assurance argument.”
  24. 24. BRUCE “At the corporate level, you’ll find that whether or not the board cares about security is kind of how it’s viewed across the corporate world. And that’s unfortunate, because very few board members haves security in their background unless it’s actually a security company.”
  25. 25. BRUCE “In the government, the only driver for being more secure is the last crisis that you had to deal with, and the heads that rolled in that crisis, and the processes and budget that was put in place as a result of that crisis.”
  26. 26. BRUCE “We’re always prepared to fight the war we just fought. We’re never prepared to fight the next war.”
  27. 27. JEFF “Yeah. That’s frustrating that we can’t see what’s coming, even in the face of staggering evidence of insecurity.”
  28. 28. JEFF “What are the key metrics you use to make sure you can sleep at night, particularly about your application security programs, but also as your program as a whole?”
  29. 29. BRUCE “What I want to know? I want to have the assurance that my business processes that I’m responsible for assuring, my mission that I’m responsible for delivering, that that mission has not been impeded or obstructed by something that I have some amount of control over.”
  30. 30. JEFF “Any final thoughts?”
  31. 31. BRUCE “We used to spend a lot of time on vulnerabilities, because we thought the more you reduced your vulnerabilities, the less of a target you became to the bad guys or to the threat. Nowadays, that problem has morphed into being threat aware. Threats are more dangerous and becoming more persistent.”