Feds on ’30-day sprint’ to Better Cybersecurity






While I understand the spirit of this initiative, it reinforces what most of us on the private side of cybersecurity already understand — that our government just doesn’t get it.  

Federal CIO Tony Scott, who apparently appropriated the “sprint” concept from the Agile software development process, may be sincere or just clueless (I have no way of knowing); but this sprint approach to government security suffers from at least three major weaknesses: (1) It’s a reflexive knee-jerk reaction — not a measured approach to long-standing, well-documented, core security weaknesses in government information systems; (2) It encourages point solutions, which lack any sense of planning or coherence — it’s like rushing to build an airplane w/o CAD drawings (You just hope it doesn’t just fall out of the sky if it even gets there in the first place); & (3) Scott is mandating the completion of eight major security initiatives across a multitude of entrenched, competing federal bureaucracies.

I could go on, but beating a dead horse is like… well… beating a dead horse.

This whole federal sprint idea is, in a word, nuts.

Some other words that describe it are: naive, silly, rash, misguided, etc.   And if patriotism is defined as ” devoted love, support, and defense of one’s country”, then I would argue that this sprint is unpatriotic.

I’ve spent the past two years working at the CISO level in federal & state agencies, & there is one absolute fact — federal & state agencies are not agile. They are, in point of fact, sluggish, lethargic, even phlegmatic.

The US government can’t even make a purchasing decision in less than 12 months. Government is the opposite of agile. Agile methodologies are basically impossible to apply to large organizations such as governments primarily because these same organizations are wedded to outdated procurement, project management, & implementation policies that are the antithesis of agile. And I would be neglectful if I didn’t mention the 800 pound CYA factor that practically defines government bureaucracies.

So, let’s have our 30 day sprint. It’s a good sound bite. Maybe after it’s over we can have a three year sprint to remedy all of the haphazard fixes that this shotgun from the hip approach is bound to create.

: – /