Presented by Wiz and Carahsoft
At the Google Public Sector Summit, Chris Saunders, Worldwide Director of Public Sector Solution Engineering at Wiz, offered a candid assessment of how government cybersecurity must evolve. For decades, agencies have relied on compliance-driven frameworks like the Risk Management Framework (RMF) to demonstrate security readiness. Saunders argued that while those frameworks were built with good intentions, they’ve become outdated in practice.
“RMF was meant to reduce risk,” he said. “But in many cases, it’s turned into a checkbox exercise. Agencies focus on fixing every vulnerability instead of addressing what actually puts them at risk right now.”
Saunders contrasted that mindset with the private sector’s approach. “Industry doesn’t try to fix everything at once,” he explained. “They prioritize. They focus their limited time and resources on the vulnerabilities that can actually be exploited.”
This shift from compliance to risk-based prioritization is essential, Saunders said, for agencies aiming to modernize securely. “Government needs to move away from point-in-time assessments toward continuous, prioritized risk management,” he said. “We have to focus on what leaves us most susceptible to an attack.”
The challenge, he noted, is that modernization efforts—like cloud migration and the adoption of AI—are introducing more complexity. “Everyone wants to get to cloud-native architectures and leverage GenAI,” he said. “But security teams aren’t expanding. They have the same or fewer resources.”
Saunders believes the solution lies in democratizing security across the enterprise. “We can’t have siloed teams using different tools, scanners, and data feeds,” he said. “Everyone needs to operate from a single source of truth about risk. When developers, security professionals, and operations teams all see the same data, they can prioritize effectively and scale security with modernization.”
He also spoke about the evolving meaning of cyber resilience. “Twenty years ago, releasing new software once a month was fast,” he said. “Now, organizations want to release software at any time of day. To get there, security must move at the same speed as development.”
That means leveraging automation and AI to continuously assess and manage risk. “We can’t stay stuck in the legacy way of doing security,” Saunders said. “If we don’t modernize RMF and our thinking, we’ll fall behind—not just technologically, but globally. We need to innovate as fast as our adversaries.”
Key Takeaways
-
Compliance-based security models like RMF must evolve to continuous, prioritized risk management.
-
Security must be democratized so every team works from the same source of truth.
-
Cyber resilience now means matching the speed of modern development through automation and AI.