SANS Institute security expert talks gaps in public-sector compliance - Baltimore


Jul. 10, 2014 4:22 pm

SANS Institute security expert talks gaps in public-sector compliance

Cybersecurity industry veteran John Pescatore spoke Wednesday as part of the CyberPoint Speaker Series. "I'd rather flunk my compliance test but protect my clients' data any day of the year," he said.

John Pescatore spoke Wednesday at the CyberPoint Speaker Series.

(Photo by Tyler Waldman)

John Pescatore told a group of security professionals Wednesday that modern security needs to not just be strong — it needs to be user-friendly.

“The average person will accept a $3 bill as long as it looks OK,” he said during remarks for CyberPoint’s speaking series at the Legg Mason Conference Center in Harbor East. “Bad guys don’t just look at technology. They look at new and more diverse ways to do things.”

Pescatore is the director of emerging security trends for the Bethesda-based SANS Institute. His long career began in the late 1970s at the National Security Agency, followed by a stint at the Secret Service and private sector groups like Gartner.

He says, believe it or not, that many public-sector groups have low cybersecurity compliance.

A 2013 study highlighted [pdf, Page 44] the Department of Homeland Security, the Social Security Administration (based in Woodlawn, Md.) and the Department of Justice as compliance leaders — but found lax security at the Department of Agriculture, the Small Business Administration and the Department of State.

However, compliance can’t necessarily save these agencies, Pescatore said. In his very next slide, he referenced the January report of a breach of a Homeland Security web portal.

“I’d rather flunk my compliance test but protect my clients’ data any day of the year,” Pescatore said.

However, he said there must be a “balance” between after-the-fact compliance and taking expensive security measures that may even outweigh the value of the information being stolen. At the same time, Pescatore said, plenty of proactive measures could be taken, ranging from easy fixes such as regular password resets to more complex solutions like port controls, closed systems and access based on need-to-know.


The infamous breach of credit cards used at Target was made possible when hackers stole network credentials from an HVAC contractor, Krebs on Security reported.

Pescatore also spoke positively of the walled garden used on Apple’s iOS, which, unlike Android, limits users only to apps downloaded through its own app store.

“It’s like if you took a goldfish and you put him in a bathtub,” he said. “The users want that. People are using them for real life purposes.”

But at the same time, he said, with the rise of the so-called “Internet of things,” the IT sector “has lost control and will never get it back,” Pescatore said.

“Do we know what’s on our networks? Do we know what’s out there?” he added. “Do we know the vulnerabilities of what’s out there?”

The next CyberPoint talk will host cybersecurity researcher Peter Singer on Aug. 19.



IoT security startup raises $300K after starting inside a government contractor

Maryland-made breast cancer treatment system gets FDA clearance

Columbia cybersecurity company Silent Circle is a finalist at CES’ Last Gadget Standing



How Think|Stack and Year Up are cultivating local tech talent




Apply Now

Terbium Labs


Apply Now
Owings Mills, Maryland

Mind Over Machines

Consultant (Software Developer)

Apply Now

B-360 wins Black Girl Ventures’ first pitch competition in Baltimore

These connected health and fitness companies are ready to be ‘sales machines’

AgPitch startups are working on increasing crop yields and fish vaccines



Let these free workshops help your business really take off



Data Engineer

Apply Now


Front-End Developer

Apply Now
8 Market Pl, Suite #402, Baltimore, MD, 21202


Development Support Engineer

Apply Now

Sign-up for regular updates from

Do NOT follow this link or you will be banned from the site!