To meet today’s evolving cyber threats, agency leaders must move beyond isolated efforts and embrace a unified, innovation-driven approach to federal cybersecurity. Only by forging deep collaboration — across agencies, with industry partners and around shared mission goals — can government rise to the challenge of true cyber resilience.
This theme came through during this year’s Qualys Public Sector Cyber Risk Conference, where I had a front row seat (literally) to a full day of discussions around risk-based cybersecurity. Here are my takeaways on how agency leaders and industry experts are redefining what it means to work together in defense of our nation’s digital future.
If everything is critical, then nothing is
Data, alerts, vulnerabilities and compliance gaps are overwhelming federal agencies. As a result, agencies must prioritize risk based on mission impact, which requires a disciplined approach to risk scoring and contextual analysis. It’s not about fixing everything; it’s about fixing what matters most.
]]>
Sumedh Thakar, president and CEO of Qualys, introduced a concept of moving from attack surface management to risk surface management (RSM). This approach reframes cybersecurity as a risk management exercise, not just a technical one. The key question isn’t “What’s vulnerable?” but rather, “What threatens our ability to execute the mission?”
The entry points for cyberattacks remain consistent: misconfigurations, identity access gaps and unpatched vulnerabilities, which are critical areas to address to achieve operational resilience. When agencies treat every alert as urgent, they tend to focus on volume rather than impact.
To address this, federal agencies must identify their “crown jewels” — the assets and capabilities most critical to mission success — and ensure that cyber risks are evaluated in terms of their potential impact on mission disruption.
A key concept that has emerged in 2025 is the risk operations center (ROC), which serves as a strategic hub to transition agencies from ineffective, reactive security approaches to a more strategic and proactive method for reducing risk, thereby enhancing overall cyber resilience. ROCs resolve the tension between assessors and fixers, ensuring that remediation isn’t just a checkbox but the primary goal. Additionally, the versatility of agentic AI in triaging findings helps agencies reduce many alerts to a few prioritized actions. The result is increased efficiency, reduced exposure and advanced cybersecurity that emphasizes risk over compliance.
Effective visibility starts with normalizing data into a unified view
Data sharing across tools is a start, but it isn’t sufficient. Federal agencies are using various legacy systems, DevSecOps tools, containers and artificial intelligence/machine learning capabilities that do not communicate with one another, according to TraudLinde Clark, chief information security officer at a Justice Department component.
The goal of visibility is not only to share data but also to normalize it across the organization by centralizing information from diverse sources into a unified view. Effective visibility requires consistent normalization, ensuring that all tools operate within the same framework and “speak the same language.”
]]>
Without this, federal agencies face fragmented insights and restricted situational awareness. Standardizing telemetry across platforms allows for quicker, more precise decision-making and sets the foundation for automation.
Federal agencies must shift their focus toward indicators of risk
Waiting for a compromise is a losing strategy. Instead, agencies should focus on predictive indicators of risk (IoR) — signals that suggest potential disruption before it occurs. This proactive mindset enables earlier intervention, reduces dwell time, and supports continuous monitoring. The ROC concept embodies this shift, offering a centralized, strategic approach to risk reduction.
Daniel Joyner, a director at CGI, recommended operationalizing threat intelligence. Agencies must ensure that they collect all data, not just the top indicators from Microsoft, rather than focusing solely on indicators of compromise.
Map them to high-value assets and combine that data with mission-critical services through real-time telemetry. Intelligence should logically guide detection and inform access playbooks. Additionally, Joyner notes that agencies should invest in AI-powered automation because the future focus is on speed, accuracy and resilience.
Resilient agencies run on culture, not just code.
Technology alone won’t ensure resilience. The strongest control is culture — a mindset that embraces innovation, fosters collaboration and supports automation. Advocate for “SecDevOps” practices, empower teams to innovate, and foster environments that view cyber as an enabler, not an obstacle.
This cultural shift requires giving people “some grace when it comes to the systemic challenge we face in modernization and information sharing,” according to Renata Spinks, former assistant IT director and deputy chief information officer for Information, Command, Control, Communications, and Computers (IC4) of the U.S. Marine Corps, and now CEO of CyberSec International, Inc.
Cultural norms and bureaucratic hierarchies often hinder progress. For instance, government hierarchies can obstruct communication between a CIO and junior personnel, resulting in a “missed opportunity.” In the Marine Corps, captains and lieutenants provide intelligence briefings to generals. Adopting that cultural model can foster the free flow of communication across all levels of government, where all stakeholders — from security and network teams to policymakers and lawyers — are brought to the table to solve problems together. This collaborative approach effectively addresses systemic challenges stemming from disparate systems and information silos.
]]>
Unification will safeguard the future of federal cybersecurity
Agencies must unite around a common language of risk, one that connects technical findings to mission outcomes and bridges the traditional divide between assessors, operators, policymakers and innovators. Further, the ROC is more than a hub for cyber defense. It is a model for mission resilience, where cultural change, automation and unified visibility converge so agencies can act quickly, decisively and collaboratively.
As threats evolve, federal agencies’ measure of success will not be in how many vulnerabilities each agency catalogs, but in how effectively they protect their missions and public trust. To achieve this, federal leaders must embrace a future where cybersecurity is framed not as a technical burden but as a shared, mission-driven responsibility — one language of risk, spoken across every agency, powering cyber resilience at scale.
Jonathan Trull is chief information security officer and senior vice president for security solution architecture at Qualys.
Copyright
© 2025 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
