A new piece in Federal Times excerpts remarks by Phyllis Schneck, the DHS Deputy Under Secretary for Cybersecurity and Communications, at a conference in DC earlier this week. The remarks provide a useful overview of current cybersecurity activities and challenges at the Department. One notable challenge that she discusses is the difficulty of measuring and quantifying the benefits of investments that provide classified threat information to private sector partners:
We’re also able to do what a few years ago was unimaginable: Protect the private-sector critical infrastructure with classified information. So we’ll look at how you use those indicators to protect our critical infrastructure partners. And really looking at the science of that. Classified information is difficult to manage, right? It’s hard to do it right, it’s expensive. So how do we measure the impact, what are the metrics on return on investment? How do we get that business case right so that, yes, we may block a million things that don’t matter, or, yes, we may miss a million things, but if we get the one thing that could’ve been very bad, that’s worth it.
The remarks also highlight her top three priorities: (1) building trust, (2) situational awareness, and (3) implementing EO 13636 and the NIST Framework. You can read the full remarks here.