Saturday, November 1, 2014

G2 Addresses the Exclusive CISO Executive Forum

G2 is pleased to, once again, share and collaborate with our colleagues in the Information Systems Security Association (ISSA). ISSA is celebrating its 30th anniversary as an organization of professionals who work to improve global cybersecurity.

G2 was invited to address the exclusive CISO Executive Forum, the ISSA program that provides executives an environment to achieve mutual success by connecting them to a large network of peers and top industry experts. Tom Conkle and Greg Witte described how the Cybersecurity Framework (CSF) enables effective risk management communication by fostering dialogue among Senior Executives,  Business Process Owners,  and Operational levels. CSF supports a cost-effective approach to protecting what's important and achieving risk objectives.

G2 has been a part of NIST's core team that has partnered with industry to build the CSF, and continues to support industry adoption through consulting, engineering, and implementation guidance. G2 will continue that support as the CSF and as the DHS voluntary program expand and evolve.

Tuesday, October 28, 2014

G2 Attending 6th Cybersecurity Framework Workshop


Over the next two days, Paul Green, Brian Hubbard, Tom Conkle and several other G2'ers will be supporting and contributing to the 6th Cybersecurity Framework Workshop which will be hosted at the University of South Florida in sunny Tampa, FL.

The purpose; "Executive Order 13636, Improving Critical Infrastructure Cybersecurity, directed NIST to work with stakeholders to develop a voluntary framework for reducing cyber risks to critical infrastructure. Version 1.0 of the Cybersecurity Framework, released on February 12, 2014, was developed in an open manner with input from stakeholders in industry, academia, and government, including a public review and comment process, workshops, and other means of engagement.

In the time since the Framework's publication, NIST's primary goal has been to raise awareness of the Framework and encourage its use as a tool to help industry sectors and organizations manage cybersecurity risks.

The purpose of this workshop is to gather input to help NIST understand stakeholder awareness of, and initial experiences with, the framework and related activities to support its use. NIST is planning to release a formal Request for Information (RFI) asking for further feedback in these areas. Responses to the RFI will inform the workshop agenda.

Target Audience
Critical Infrastructure Owners and Operators and cybersecurity staff. Specifically those who have operational, managerial and policy experience and responsibilities for cybersecurity, technology and/or standards development for Critical Infrastructure companies." - Source NIST.Gov

For additional (Non NIST Sponsored) open discussion about the Cybersecurity Framework, check out CForum.

Thursday, October 2, 2014

Director of R&D, Dr. Pat Muoio, was recently interviewed by AFCEA Signal about Cloud Security.

Isolation
 Mechanisms 
Help Protect Data in Public Cloud

October 1, 2014
By Sandra Jontz

Usage has spurred growth in the virtualization market.

Explosive amounts of data and the strains on limited financial resources have prompted corporations and governmental agencies alike to explore joint tenancy in the cloud for storing, processing and transmitting data. But while good fences—or in this case isolation mechanisms—make good neighbors, in the virtual world of cloud security the idiom might not ring entirely true. In the public cloud arena, risks arise when organizations place their data in a cloud system but cannot control who their neighbors might be.

“There’s a risk that your data or your processes could bleed or be accessible from your cloud by your neighbors in a way you don’t intend them to be,” says Pat Muoio, director of research and development at G2 Incorporated in Maryland. “The kinds of mechanisms you need to protect against these risks of multitenancy are strong isolation mechanisms. A lot of virtualization systems provide isolation of your data and your processes from the next guy’s data and processes, but making sure that the mechanisms … are sound and strong, I think, is a key way to address this multitenancy risk.”

Cloud security vulnerabilities are just as high as those in networking. “That’s just a risk of [information technology] in general, not just a risk to cloud,” says Muoio, who served as a senior executive supervising more than 100 researchers in the federal government and developed capabilities to operate safely in compromised environments. In addition, she provided strategic direction to secure wireless technology, resilient systems, trustworthy computing, science of security, cryptography and system design and analysis.

Putting all of the security burdens of network computing on the back of the “poor cloud” is not useful, she adds. “We have to think about what’s different about the cloud,” says Muoio, whose technical focus areas include cyber physical systems, cybersecurity and advanced data processing. “For the most part, in my mind, those differences only become acute when we’re talking about the public cloud,” Muoio continues. “When we start talking about putting your data somewhere else, I think the risks change a little.”

The cloud offers attractive, affordable solutions that do not require much of an upfront investment and can be paid for based on usage or through subscriptions. It will be a booming market, a study by Global Media and Entertainment Solutions for the Cloud reports. While the cloud market earned roughly $100 million in 2013, it is expected to grow nearly ninefold by 2020, the report states. The Office of Management and Budget (OMB) already requires federal agencies to adopt a “cloud first” policy when contemplating information technology purchases.

Generally, public cloud use appeals to researchers, smaller companies and individuals who might need a lot of computing power for short durations. It also is attractive for cloud bursting, when running an application on a private cloud or data center is not enough and a user needs to burst into a public cloud for a brief capacity spike. “You might need a lot of compute power for an hour or two, or only once a week or so. If you were to buy that size of a computer, it would be very expensive and you might not get as much use out of it to justify that expense,” Muoio explains. “A lot of big companies are actually slower to move to public clouds because they have richer internal resources and have a better understanding of their compute load, which is much more steady.”

The growth of cloud usage spurred increased attention to and investment in virtualization, Muoio says. This is key to some possible solutions such as the growing trend of bring your own device (BYOD), in which employees use their own mobile devices such as cellular phones and tablets for work purposes. “You can save a lot of money if you work with virtual machines rather than be limited by the barriers that are on physical machines,” she says. “Absent virtualization, if I wanted to keep my work separate from your work, we’d have to put them on different physical computers. Whereas now, you use half a computer, I use half a computer, we can share it because we have these virtualization technologies.”

But access to the data—when users want it and how users want it­—presents an additional concern. Data is stored off the cloud user’s premises and in somebody else’s space. There is a risk of not being able to gain access to the data if, for example, a network crashes. Consumers should conduct ample research when choosing suitable vendors to meet their needs, Muoio advises. “You would be doing poor due diligence in picking a contractor if you need a 99 percent availability and that vendor only offers 80 percent.”

Midsize and larger corporations have migrated toward using technology that takes them from a “recovery” of data mindset to a “resiliency” one. This technology provides seamless backup between data centers or access to cloud computing when one center is compromised and shuts down, says Matt Waxman, vice president of product management for the data protection and availability division of EMC Corporation. The company created the VPLEX technology, which the U.S. military uses as a backup system between data centers.

“There’s a big difference between recovery and resiliency, and VPLEX really plays into the resiliency. Whether it’s a power failure or a flood or a hurricane, … it keeps your applications online across two data centers without the need for any human intervention,” Waxman explains. “It’s a hardware and software solution that effectively can turn storage of data into this continuous availability model.”

Although technology such as VPLEX offers a recovery and resilience solution, Muoio points out that other techniques also are available. For example, if users rely on public cloud computing centers and access to multiple data centers is out of reach, they can mitigate problems through diligent tagging, such as specifying a date to delete stored data from the cloud, she advises.

“Understand the relationship and how much trust you are willing to put in [a company.] Put in the cloud the data that matches the trust you have in the system’s integrity. You can see companies making choices where they might put less sensitive data out there and keep their intellectual property in-house. The part of using these resources is understanding what they are good for, what they are too risky for.”

Wednesday, August 27, 2014

G2 Expertise on Display in the Harvard Law School Forum on Corporate Governance and Financial Regulation

We are proud to announce that one of our Sr Cybersecurity Consultants has contributed content that was just recently published by the Harvard Law School Forum on Corporate Governance and Financial Regulation.  You can view the article, authored by Tom Conkle, Sr Cybersecurity Consultant at G2, Inc. and Paul A. Ferrillo, counsel at Weil, Gotshal & Manges LLP, by clicking here.

We firmly believe that the Cybersecurity Framework is a key component to securing our Nation's most critical systems, and we invite you to exchange ideas with us on CFORUM (the only website dedicated to the evolution of NIST's Cybersecurity Framework).

Thursday, August 21, 2014

G2 to Particpate in Weil Gotshal & Manges' September Cybersecurity Briefings in New York City

G2 is proud to partner with Weil Gotshal & Manges in the effort to further educate the general public on the principles of Cybersecurity, Cyber Governance, and Cyber Insurance. In the month of September, the firm will sponsor a set of Cyber Security Briefings.

The two-day Continuing Legal Education (CLE) webinar series – to be held on the mornings of Monday, September 15 and Monday September 22 at Weil's New York office – will feature three panels focusing on the existing cyber security threat and target industries, cyber governance issues facing boards and management, and related cyber insurance issues for directors.  Tom Conkle, Cybersecurity Consultant at G2, will serve as one of the panelists on September 15th, that will tackle the issue of Cyber Governance.

Here's a little more information about Weil Gotshal and their inagural September Cybersecurity Briefing:

Weil, Gotshal & Manges is an international law firm that has dedicated practice that addresses the litigation risks caused by cybercrime.  The Cybersecurity briefings in September will feature a number of Weil Gotshal's partners as well as a premier group of cyber and risk professionals from public companies, enterprise risk management consulting companies, public relations firms, cyber “first responders,” and the legal industry. Weil counsel, Paul Ferrillo, will moderate each panel.

We invite you to click here to view the two-day agenda and register for the webinar(s).

Tuesday, August 19, 2014

G2's Tom Conkle to lead "The Cybersecurity Framework Explained" webinar alongside Admiral Mike Brown (RSA)!

Register now to participate in the RSA/G2 Cybersecurity Framework webinar scheduled for this Thursday, Aug 21, 2014 at 11am EST. This webinar will provide an overview of the Cybersecurity Framework and discuss the benefits the Framework provides to critical infrastructure providers.

More details regarding the webinar are provided below.

RSA Live Webcast:
The Cybersecurity Framework Explained

Thursday, August 21, 2014
11:00 am EDT/4:00 pm GMT

Presenters:
Admiral Mike Brown, United States Navy (Retired), Vice President and General Manager, Global Public Sector, RSA

Tom Conkle, Commercial Cybersecurity Lead, G2, Inc.

Concerns with the increasing number of successful cyber attacks (a recent Ponemon survey identified that 67% of Critical Infrastructure providers surveyed were breached last year*) and the continued increase in Cybersecurity spending prompted the U.S. Government to develop the Cybersecurity Framework in February of 2014.

If you have questions about the Cybersecurity Framework and what this means for your organization, this webcast will provide you with access to two of the foremost experts. Hear from Admiral Mike Brown who participated in the development of the Presidential Executive Order (E.O. 13636) which led to the development of the Framework. Also hear from G2, Inc., who was engaged by the National Institute of Standards and Technology (NIST) as the prime contractor to assist in the development of the Framework for Improving Critical Infrastructure Cybersecurity.

While the Framework was developed for Critical Infrastructure providers it is a valuable tool for any company with cyber presence. Join this webcast to learn more about:
           The history of the Cybersecurity Framework and why it was developed
           The Cybersecurity Framework components
           The benefits your organization can obtain from using the Cybersecurity Framework
           How to get started using the Framework

           You will also have the chance to ask questions at the end of the webcast.












Tuesday, July 29, 2014

Greg Witte Leads ISACA Cybersecurity Framework Webinar (July 29, 2014)

To register for the webinar or view the archive, click here.

A little background information...
G2 recently completed the "ISACA Guide for Implementing the Cybersecurity Framework."  The book describes the Cybersecurity Framework and how organizations can implement the Framework using ISACA COBIT 5 processes.  ISACA scheduled the release of the book for mid-August.

As a precursor to the book being released and to help advertise ISACA's NEXUS program, they asked our very own Greg Witte to provide a webinar describing the Framework and implementation guidance provided in the book.

ISACA (www.isaca.org) is an independent, nonprofit, global association, that engages in the development, adoption and use of globally accepted, industry-leading knowledge and practices for information systems. Previously known as the Information Systems Audit and Control Association, ISACA now goes by its acronym only, to reflect the broad range of IT governance professionals it serves.

Needless to say, we're extremely proud of Greg and the outcomes that we're producing with ISACA.  We hope those who tune in find the webinar helpful.

Wednesday, May 7, 2014

SWIM UPSTREAM.

By Paul Green, CEO

How do we make a difference in protecting our Nation, and run a business at the same time? Many small businesses (G2 included) have people in their company that individually make a difference but as a whole is there something we can accomplish that is greater than the sum of our employee’s individual contributions? And, can we do this in a repeatable way so we can create a long lasting and positive impact on our customers and employees? I believe the answer is yes.

The first question that must be answered is how you intend to create that difference. At G2 our answer to this question is to proactively and systematically turn our employees ideas into impact. To be effective, we have to start with a fundamental understanding of the mission outcomes our customers want to achieve. We must also be well versed in the challenges that will prevent them from reaching their goals both today and in the future. The best source of this insight and ideas is our employees who are embedded within customer organizations supporting a variety of mission sets.

Since anyone can conceive an idea, what really matters is what you do with the idea. At G2, we provide the resources (time, equipment and money) to our employees to investigate whether their idea can make a positive impact. Some will, some will not. There are no penalties if an idea does not succeed. For the ideas that can make a difference, the next challenge is to attach these efforts to contract vehicles where the Government can benefit from them. This often means navigating through bureaucracy, contract limitations and coop-ertition (otherwise known as teaming) and even protectionism.

I recall a time when we were a very small business supporting a very large system integrator that we received explicit instructions not talk to the customer unless the large system integrator was there as part of the conversation. At the time this seem like a reasonable request from our prime and one we weren’t well positioned to push back on. Over time, what I came to realize is that request was a very deliberate act in order to ensure that the small business would not influence the way the customer was thinking or planning. The desire of the large system integrator was that the small company should simply provide the bodies, follow the rules, punch the clock and not rock the boat. This is precisely what our Country doesn’t need.

It's my belief the reason this happens is because the thoughtful dialogue could increase the risk of delivery on a task, drive up customer expectations or costs that would create a risk to the bottom line. By its very nature the battlefield that we work on every day it's always changing so concepts like “don’t rock the boat” are antiquated and unhelpful.

At G2 I encourage every employee to be bold, question status quo, take chances and swim upstream.

Monday, April 21, 2014

Research and Failure

By Pat Muoio

Folk wisdom has it that a good research program should fail at least 70% of the time. This might lead one to think that research is the perfect endeavor for the lazy and the inept. Yet research remains a respected pursuit; and researchers are generally thought to be driven and accomplished (insert image or your favorite inventor or mad scientist here). So how do we reconcile this drive for truth and innovation with the complacent acceptance of a high failure rate?

First we have to recognize that not all failures are created equal. There is one species of failure that results from lack of critical thinking, misunderstanding of the problem, unchallenged assumptions, poor experimental design, or general incompetence. This kind of failure is no more acceptable in research than it is in development or operations. The desirable species of failure comes from taking significant technical risk and pushing the boundaries of what is currently known. The thinking is, if you go out on a technical limb, it will fail to bear your weight a good percentage of the time. You can increase your chances of being supported by staying close to the trunk, or by only venturing out on the thick limbs that have been around for a while, but you can’t reach very far from these vantage points. To expand the scope of your grasp, you need to explore the less mature parts of the tree.

But falling out of a tree hurts (to torture this analogy just a little bit more) so why is climbing trees a good thing? For one, the view from the top when you are successful is spectacular. For two, you learn a lot about the problem, and about the limits of our understanding, every time you fall. And, if you are self-critical about your climb, your analysis of what went wrong improves your chances of succeeding the next time. This learning, born of risk-taking, is the value of failure in research.

Yet taking risks is not the same as being foolhardy, and it is critical to keep this in mind when embarking on a research activity – good research needs a strategy. You can assess the resilience of the branches of the tree you want to climb. You can tell in advance that some branches are just too weak, or are pointing downward and so won’t improve your view in any case. You can trace a path through the tree that enables you to jump to a nearby branch when you hear the one you are on starting to crack. And you can put a knowledge-collecting net near the base of the tree so you can bounce back up after the fall.

Tuesday, April 8, 2014

G2 Leadership.

By: Paul Green, CEO


Eight things I believe about Leadership:

1. Being a Leader is a choice and does not require a title.

2. Leaders act with integrity and are fair. The bedrock of leadership is integrity. Integrity is the product of moral character and honesty and is closely associated to the consistency of our actions. If one says they are going to do something and then does not do it, they risk having their integrity called into question.

3. Leaders are trustworthy. Trust is a belief that something or someone has integrity. In other words it is the belief that something (or someone) will work as you expect. If you want people to trust you focus on consistently doing what you say you’re going to do, and always be fair to others.

4. Leaders create positive environments by being approachable and willing to listen to the ideas and concerns of anyone in the company. Leaders are willing to be transparent about how they make decisions. They have high expectations of others, offer praise when it is deserved and provide candid and timely feedback when those expectations are not met.

5. Leaders create a sense of belonging by building teams of people whose personal ideals and motivations are aligned with the core mission and values of the organization, and by helping each member of their team understand how they can contribute to the team’s shared goals.

6. Leaders inspire others. They keep us focused on our most important goal, remind us of why this goal is meaningful and lead by example.

7. Leaders build the esteem of others. Leaders let their people know they believe in them and their potential. They take the time to celebrate the successes of their peers and direct reports in front of others. Leaders offer meaningful encouragement, and help others realize their own success even when they can't see it for themselves.

8. Leaders empower others. They see more in people than they see in themselves. Great leaders hold us accountable not only for what must be done, but also to realize the fullness of our potential.

Wednesday, April 2, 2014

Leveraging the Cybersecurity Framework to Protect Critical Infrastructure

By Brian Hubbard

After a year of working hand-in-hand with NIST to develop the Cybersecurity Framework, G2 has established an Implementation Support team to help critical infrastructure organizations leverage the Framework to improve their cybersecurity programs.

Our Implementation Support team assists organizations in the following areas: identification and scoping of their cybersecurity programs, development and analysis of their cybersecurity profiles, the analysis of gaps, and the development of action plans to close gaps.  In addition, we help those organizations implement those action plans with the intent of moving the organization toward their targeted state.

As an added value, G2 also provides training on the Cybersecurity Framework.  Our tiered training sessions are rooted in the many lessons that we learned while supporting the Cybersecurity Framework’s development and implementation.  We offer training that ranges from informational overviews for C-level executives to implementation seminars that focus on helping managers and operators understand how the Framework can improve their cybersecurity programs.  Beyond that, we facilitate workshops that help organizations develop detailed Framework implementation plans.

Our support doesn't stop at training and planning.  Our Implementation Support team also provides the expertise required to continually maintain and evolve your security program as the target state profile continually evolves to address newly identified threats, security vulnerabilities, or changes in technologies.  Additionally, our implementation team defines security target states for organizational suppliers. 

Our Supplier Risk Management capability identifies security risks imposed by your suppliers and establishes target profiles to manage the risk your suppliers impose.

For more information on our services supporting the implementation of the Cybersecurity Framework, or any of our other services, feel free to contact Brian Hubbard at brian.hubbard@g2-inc.com or 301-575-5106.

Wednesday, March 19, 2014

When The Going Gets Tough, The Tough Invest in Research

By:  Patricia Muoio
       Director of R&D, G2 Inc.

There is no denying that we have just emerged from a year that was fiscally problematic for government contractors into a period with a somewhat rosier prospect that is still marked by a high degree of fiscal uncertainty.

Some may wonder why G2 would choose to go large in research, an uncertain prospect, in this time of uncertainty. Or, more personally, we may individually be wondering whether it makes sense to go out on a limb and ask for research time when we could be maxing out our billable hours.

Prudence might suggest we concentrate on revenue-producing activities while we wait out the storm. While this may be a comfortable tactic and enable us to maintain the status quo with little risk, I’d like to argue this is a terrible strategy for the company’s long term health.

One argument in favor of increased investment in research during tough fiscal times is the tried and true “don’t eat your seed corn” argument. If one devotes all their resources to addressing today’s immediate needs, they will be under-resourced to address tomorrow’s challenges.

Another argument for increased research investment is based on the notion of improved competitiveness in times of scarcity. Contract opportunities are fewer when times are tough and G2 will need to win a higher percentage of the opportunities we bid on.

We could perhaps do this with superhuman pursuit efforts and lots of luck, or we could establish a systemic advantage: a reputation for innovation and problem solving backed by concrete evidence of solid processes and a track record of success in innovation.

Many large companies with established research divisions have taken this track, to great success. Tweak this basic idea to account for smaller margins and a less diverse market, and you have a strategy that enables a small company to flourish.

In addition to providing an edge in the short to medium term, prognosticating about the future that will follow these current uncertain times suggests that establishing a reputation for innovation will have big payoff in the long term. It is likely government budgets will stabilize, but my bet is they will likely be no larger, and more likely will be somewhat smaller, than they are today.

The unhappy reality of the government budget with which I am familiar, is that an unhealthy percentage of the money is devoted to personnel and keeping the lights on. The discretionary spending needed to keep up with the rapidly changing technical environment is inadequate.

Given my bet that there will not be much new money, and given we can’t ask the tech environment to slow down so we can catch up, agencies are going to need to reduce personnel costs and increase efficiency in their installed base in order to increase their investment in new technology.

It is innovation that enables automation, low-power commodity solutions, smart systems with lower maintenance costs, and other efficiencies needed to break the stranglehold of investment in sustaining current operations. And it seems to me as if this is the kind of innovation G2 is best at.

By going large on research at this time, we can be poised to provide solutions of this type, perhaps even before the customer asks for them.