Melissa Hathaway's presentation at RSA Conference 2009 appeared to embrace a more risk-based approach to enterprise security, which should include heavy doses of vulnerability management work.

The big news on Wednesday at the RSA Conference 2009 in San Francisco, and what many had touted as potentially the most important story coming out of this year’s annual industry confab, was acting Cyber Czar Melissa Hathaway’s update on the Obama Administration’s recently complete 60 day cyber-security review.

And while many RSA attendees seemed to find themselves somewhat disappointed by the level of detail that Hathaway – whose official title is Acting Senior Director for Cyberspace for the National Security and Homeland Security Councils – was able to provide in her “Mission Impossible” themed keynote, one message that affects the vulnerability management space that Core Security plays in rang loud and clear: the U.S. government needs to foster a more risk-based IT security model than it ever has in the past.

Many of the people that I spoke with – including IT security practitioners, solutions vendors, systems integrators and government experts like Core Security’s Vice President of Security Awareness, Tom Kellermann – feel that the Admin’s 60 day review will ultimately endorse many of the same recommendations made in last year’s report issued by the CSIS Commission on Cybersecurity for the 44th Presidency, to which Kellermann was a key contributor.

The conclusions that Hathaway was able to share on Wednesday seemed to highlight the need for the U.S. government to adopt many of the same risk-based security methodologies being championed in the private sector today.

“Despite all of our efforts, our global digital infrastructure, based largely on the Internet, is not inherently secure enough or resilient enough for what we use it for today, and what we will need it for in the future,” Hathaway told a packed room at the Moscone Center. “This reality poses one of the greatest technological and economic challenges of the twenty-first century.”

And while Hathaway stopped short of endorsing any specific types of technological solutions that will need to be adopted to help solve the many issues that plague the Internet in terms of stemming cybercrime, the Cyber Czar’s tone clearly evangelized a more comprehensive manner of identifying the Web’s most dangerous risks to subsequently roadblock the avenues that have been so widely available to cybercriminals in recent years.

For us at Core Security, that’s just the type of strategy we’re hoping to see leading officials adopt to help mature the IT vulnerability management models that already exist across the U.S. government today.

Some of our oldest and largest customers are federal agencies, who, as a vertical market, have actually led the way in their use of internal Red Teams, mandated IT security assessments and adoption of automated penetration testing solutions, including CORE IMPACT.

However, as Tom, and our government team, have been telling their counterparts in the federal space for years, the only way for the nation to truly improve its IT security posture as quickly and effectively as possible will be to embrace these programs even more broadly.

With last year’s publication by the National Institute of Technology and Standards (NIST) of its Special Document 800-53-A, specifically the document’s Appendix G segment, we saw those experts responsible for driving new federal security policies embrace the use of penetration testing as one of the most powerful methods for rapidly assessing individual agencies’ existing exposure to cyber-attacks and electronic data theft.

As Tom and many others working on Capitol Hill have been saying for years, it would only seem logical that the U.S. government begin pushing for broader use of penetration tests and other vulnerability management practices to help address the many IT-based risks that we face as a nation going forward.

In terms of improving matters of online security, we would argue that performing more frequent penetration tests on underlying Internet infrastructure, and Web applications themselves, is already one of the most effective means of advancing both public and private sector cyber-defenses.

Pretty soon we should find out just what the detailed conclusions of Hathaway and her team’s report will actually recommend.

Hopefully, by advancing more proactive risk management strategies via automated pen testing, we’re already headed in the right direction.