I'm at the NASCIO Annual Conference in Miami this week, and there is record attendance.
The opening keynote by best-selling author Don Yaeger was inspiring and funny. He told a series of stories from playing one-on-one basketball with Michael Jordan to being mentored by the great basketball coach John Wooden. His major focus was the characteristics of greatness, and here are a few of his 16 points:
Point 1 - It's personal. They hate to lose more than they love to win.
Point 2 - They understand the value of association. You'll never outperform your inner circle. (Who do you spend your time with that pushes you?) Mr. Yaeger told several great stories about Bill Walton being pushed by Swen Nater in practice more than anyone else during the real games.
Point 3 - Greatness is measured by your heart. "You cannot live a perfect day without doing something for someone who cannot repay you." (By John Wooden)
The "secret sauce" that set this opening apart was the emotional story behind every point made - especially the Warrick Dunn stories. Mr. Yaeger emphasized that we each can choose to get bitter or better when we face adversity, and Warrick Dunn chose to get better despite setbacks.
After the opening, I attended a breakout session - Cybersecurity: Emerging Threats, Evolving Roles. The speakers were David Taylor, Florida CIO; Will Pelgrin, president and CEO of the Multi-State Information Sharing and Analysis Center (MS-ISAC); Srini Subramanian, security lead for Deloitte, and Randy Vickers, director of the U.S. Computer Emergency Readiness Team (US CERT).
The panel discussed emerging threats, and Randy started by saying the traditional threats, such as phishing, malware, insider threats and external hackers, are getting much more sophisticated. The best medicine is information sharing and partnering through the GFIRST portal and MS-ISAC.
Mr. Vickers also urged the audience to sell cybersecurity better with new ROI reports and discussions on what's at stake for reputations in states. This will lead to implementation of more best practices.
Will Pelgrin emphasized the speed of change in cybersecurity. He pointed out five areas of concern, including: end of life software, not patching old devices, new technologies such as smart phones, human behavior challenges and new forms of attacks for external bad guys.
Srini Subramanian discussed the need for enterprise privacy officers in states as he discussed the recent Deloitte Survey of States. He quoted one response which described their cybersecurity challenges as being, "an over-the-top suspense movie" that few would believe.
David Taylor said that CISOs obviously need more resources around the country, and he asked Randy if the federal CISO model and/or FISMA was the answer.Randy responded by saying that FISMA had its problems and the federal space still was not best practice. Still, FISMA 2010 was much better.
Will emphasized the importance of collaboration and reporting, and suggested that more command and control was not the answer. He encouraged an approach to win over agencies and gain respect by actions. He did say that some policies must be mandatory - but encouraged giving 18 months to implement them.
Randy basically agreed, but he also responded by saying that we all need "sticks and carrots." He said, "CISOs must have the authority to protect networks from attack."
David Taylor stated that security policies in Florida have the effect of law, and Florida has taken an approach to partner with auditors and assessors to certify systems statewide. Srini added that 80% of states have a good plan, but the implementation of security programs were struggling. In addition, 90% want a singular approach similar to FISMA.
A discussion on scorecards and grading cybersecurity offered a mixed view - with several panelists stating that scorecards offer a good "snapshot of the past." Will suggested that states pick an approach and go with it.
The panel wrapped up with a refocus on shared services within cybersecurity. Randy emphasized the need to work together across state/local/federal boundaries. Cyberstorm III was an example of a good activity to gauge readiness and overall progress.