Data security practices have shifted in many ways since Leidos’ JR Williamson entered the field over 35 years ago. One key change he has noticed is that large prime contractors are no longer the only ones retaining sensitive government data.
Williamson, senior vice president and chief information security officer at Leidos, spoke on this and other topics during a Cyber Guild panel discussion in late 2023 highlighting cybersecurity considerations that are still relevant today.
Williamson said when he began his career, sensitive data was often kept in the hands of large prime contractors with the resources and expertise to manage data safely and securely. Today’s landscape is different.
Small business subcontractors are increasingly holding sensitive data. It’s a break from the previous model in which large primes provided secure environments for small businesses to collaborate. With the advent of the internet and distributed cloud systems, small — and sometimes less-resourced businesses — often manage their own development environments, inheriting the responsibility to safeguard sensitive information.
Williamson’s advice around controlled unclassified information is simple: “If you don’t need it and don’t have to have it, don’t have it,” he said.
Williamson emphasized that trust and responsibility underpin the federal government’s partnerships with contractors.
“With great trust comes great responsibility. If you’re not willing to invest in protecting the information you’re entrusted with, you shouldn’t be doing it,” he said.
Today, organizations are navigating evolving compliance requirements like the Cybersecurity Maturity Model Certification developed to ensure companies meet specific security standards. Williamson emphasized that the essence of CMMC lies in verifying what organizations claim they are doing.
For many small businesses, balancing security investments with operational budgets presents a daunting challenge. The financial burden cybersecurity places on smaller organizations can be significant.
“If IT spend on average is 2% of your revenue, even if it is 30%, that’s a poverty line,” Williamson said.
Beyond compliance, Williamson urged a mindset shift from working to meet minimum standards. While compliance frameworks like CMMC are crucial, the broader focus should be on delivering quality, mission-driven outcomes. Cybersecurity helps ensure a given capability works when it’s needed most.
He advocated for prioritizing innovation and mission alignment over excessive spending on regulatory adherence, suggesting a more holistic approach to risk management.
“Nobody wins just because you’re compliant,” he said. “We need to differentiate either in price or performance — but be outcome driven.”
This sentiment was echoed by fellow panelists who stressed the need for incentives, not just penalties, to encourage better cybersecurity practices.
“There are too many sticks and not enough carrots,” said Exiger’s Carrie Wibben, who also served as moderator. Williamson was joined by Coalfire Federal’s Amy Williams, Easy Dynamics’ Pirooz Javin and Sentinel Blue’s Andy Sauer.