The future of federal cybersecurity

Cybersecurity is high on the federal agendas and comes with various challenges; risk awareness, mitigation policies, threat detection software, modern systems and efficient procurement practices and a lack of top talent.

On this episode of CyberChat, host Sean Kelley, former Environmental Protection Agency chief information security officer, is joined by retired Homeland Security senior executive and founder of GotUrSix TV, Keith Trippie.

The future of cyber is in automation of controls and continuous authorization, Trippie said. An information system must be granted authority to operate (ATO) before it becomes operational, and must be re-authorized at least every three years. Continuous authorization or ongoing authorization involves shifting from periodic to ongoing assessment and facilities a continual state of awareness.

“Hackers will not care if ATOs are updated or current, automation of controls and embedding controls in the app will give you continuous visibility into what the vulnerabilities are,” Trippie said. “Through continuous authorization you can reduce costs and enhance cyber posture by taking advantage of all the new technologies around automation, which is the way the world is going.”


Trippie said some agencies are already ready to implement this level of security thanks to the capabilities of the cloud.

Pay remains one of the biggest hurdles when competing against industry for top talent. A hurdle just as big, Trippie noted, is the government’s recent recruitment requirement of various certifications. He believes they are overly prescriptive and unnecessarily thin the cyber talent pool by not taking into account experience.

The CISO community as whole should be looking at whom they are hiring. “One critical skill in a CISO should be risk management, because the primary objective of any CISO is to manage risk.” Trippie said.

Cyber insurance is the fastest growing product line in the insurance field as companies fold this into their overall risk management strategy — which helps bear the costs associated with data breaches. “Government executives should consider cyber insurance as a differentiator when selecting vendors,” Trippie said.

Top Takeaways

  1. Continuous authorization gives organizations continuous visibility into their vulnerabilities.
  2. Continuous authorization can reduce costs and enhance cyber posture.
  3. Risk management is a critical skill for CISOs.
  4. Actual cyber experience can be just as good a qualification as certifications.
  5. Government executives should consider cyber insurance during the vendor selection process.