Cybersecurity is about assessing risk, not just vulnerabilities, and often a federal agencies' biggest risks lie within the workforce, according to a National Security Agency official.

"[We often] put too much in the hands of under-loved, under-paid, under-equipped human beings, and yet that's what we've done in the DoD for a long period of time. We've asked our front-line defenders to solve enterprise-level problems," said Tony Sager, chief of the vulnerability analysis and operations group at NSA.

Large-scale problems must be solved "at scale," and that means removing the human element from information technology where possible and leveraging a "much greater rate of standardization and automation," he said May 5 at a Washington, D.C., event sponsored by InformationWeek called the "Government IT Leadership Forum." 

Cyber attacks at the State Department quadrupled between 2008 and 2010, reaching 8,000 last year, said the department's Chief Information Security Officer John Streufert. He decided to take a standardized approach to cybersecurity by focusing on known risks. 

Streufert took a census of the attacks against the department and assigned numeral values ranging from zero to 10 to each, creating what he called a "risk market" or "monetizing risk" approach. The strategy was built on National Institute of Standards and Technology guidance but also enhanced with additional metrics. "We proceeded to turn a dozen additional factors into numerical values, like three points in the negative direction for a missing low patch and ten for a high patch."

By concentrating on known vulnerabilities and containment, Streufert said he could accelerate the pace of patching. Several State Department offices, located overseas, went from zero to 84 percent patch coverage in 7 days and to 93 percent in 30 days.

Related Articles:
Private sector official condemns mandatory cybersecurity information sharing
Cyber war threat inflated, says paper
FBI-led national cyber threat information sharing stymied by 'need to know'
Napolitano: Cybersecurity policy should set goals without being prescriptive