7 ways cybersecurity companies can help government right now

Lloyd McCoy Jr.By Lloyd McCoy, DOD manager

The public sector market for cybersecurity tools is only going to grow as federal agencies increasingly look to the commercial sector to help solve some of the most complex cybersecurity problems.

During immixGroup’s 4th annual Government IT Sales Summit, government and industry cyber leaders urged companies to help in a variety of ways, from having a better understanding of agency missions to obtaining FedRAMP authorization.

Here are the suggestions we heard at the Summit panel on Selling Cyber – Helping Agencies Implement What They Need Most:

  1. Speak up early

The National Institute of Standards and Technology (NIST) is tasked with setting guidelines and standards for how commercial technology is developed. And the organization wants input from the private sector in how those guidelines are created, says Paul Grassi, senior standards and technology advisor at NIST. He says companies now have the opportunity to make recommendations and provide input from the very beginning of when guidelines are being drafted. The idea is to avoid big surprises and to make the public-private partnership within NIST even stronger, he adds. Even if companies can’t provide input at any point during the drafting phase, Grassi says he welcomes feedback after guidelines have been implemented.

  1. Volunteer your time and your products

NIST invests a considerable amount of time and resources to testing and developing commercial solutions to solve cybersecurity challenges that haven’t yet been addressed. So the organization is in search of existing commercial cybersecurity tools to help. This is done through NIST’s National Cybersecurity Center of Excellence (NCCoE), which uses commercial products to build examples of modular, easily adaptable cybersecurity solutions. “This is where we build technologies that solve tough cyber problems that haven’t been solved today, leveraging open standards,” he says. “We only do that with the private sector.”

  1. Focus on mission outcome, not your technology

Don’t lead with what your technology can do for the customer, lead with how to solve the agency’s problems, says Daniel Wiley, head of incident response at Check Point Software Technologies. Also, consider what solutions the agency has already invested in, where it has risks and problems and how they can be fixed.

“Where do we have enterprise risks, not just within an individual system, but how it relates to our total enterprise and the broader things that we have to deal with,” said Martin Gross, director of network security deployment at the Department of Homeland Security. “I think that’s really critical and we need help to do that.”

  1. Make sure you’re selling interoperability

Agencies want commercial products that are adaptable and interchangeable with other solutions. IT teams don’t want to have to re-engineer with every new implementation, says Douglas Perry, deputy chief information officer for the National Oceanic and Atmospheric Administration.

“NOAA is not going to invest in R&D for some new cyber solution,” he adds. “We’re going to leverage the best in the industry. So address the basics, understand our mission and come to us with good solutions.”

  1. Be open

Any tool or service for the government should have an API, says Steven Hernandez, chief information security officer for the Department of Health and Human Services, Office of Inspector General. Agencies want access to data and if a product or service doesn’t offer that capability, it’s a deal breaker, he adds.

“If you don’t have an open data mindset and the ability to share the outcomes that your technology or services are producing, go and design that right now,” Hernandez says.

  1. Live in and out of the cloud

Federal agencies are in transition right now when it comes to the cloud. Many are in the cloud and many are not. Solutions need to have the capability to live both in a cloud environment and the brick and mortar data center environment,” Hernandez says.

“If you can’t deploy in both and you can’t show me risk parity across both, we’re going to have a hard conversation,” he adds.

  1. Get FedRAMP’d

This is vital for security tool vendors. Hernandez says he has many vendors tell him they’re FedRAMP-certified but they’re actually on AWS.

“HHS is one of the most adamant about making sure that any cloud service or provider we bring in meets the FedRAMP requirements,” he says.

To view the entire session, click here. And for more guidance on selling cybersecurity to government, reach out to immixGroup’s Market Intelligence team.

About Lloyd McCoy Jr.
Lloyd McCoy is the Department of Defense Consultant on the Market Intelligence team. Prior to working for immixGroup, he worked in the public sector as a senior analyst with the Defense Department. Lloyd primarily monitors and analyzes issues relating to the Navy/Marine Corps, Defense Health Agency, and the Defense Information Systems Agency

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: