I've seen a few glimmers of hope appearing in the .gov space recently, so I wanted to note them here.
Linda Cureton in her NASA CIO blog said:
We have struggled in the area of cyber security because of our belief that we are able to obtain this ideal state called – secure. This belief leads us to think for example, that simply by implementing policies we will generate the appropriate actions by users of technology and will have as a result a secure environment. This is hardly the truth. Not to say that policies are worthless, but just as the 55 mph speed limit has value though it does not eliminate traffic fatalities, the policies in and of themselves do not eliminate cyber security compromises.
Army General Keith Alexander, the nation's first military cyber commander, described situational awareness as simply knowing what systems' hackers are up to. He goes on to say that with real-time situational awareness, we are able to know what is going on in our networks and can take immediate action.
In addition to knowing our real-time state, we need to understand our risks and our threat environment... It is through an understanding of the state of our specific environment and the particular risks and threats we face where we can take the right actions to produce the results that we need.
Well said. Will anyone else pay attention?