Defensive cyber has become foundational to federal digital modernization strategy, shaping how agencies approach cloud adoption, AI integration and enterprise IT transformation.
In a recent GovCon Conversation video interview, Josh Salmanson, vice president and defensive cyber practice lead at Leidos, spoke with Executive Mosaic about embedding cyber resilience into modernization efforts from the start rather than layering it on later.
“It’s a shared organizational awareness that cyber plays a factor in all facets of technology today,” Salmanson said.
From reducing technical debt to deploying cyber deception tools and accelerating risk management reform, Salmanson outlined how defensive cyber supports mission performance across increasingly complex environments.
How Is Leidos Redefining Defensive Cyber In Digital Modernization?
Salmanson said cyber must be designed into systems from the outset rather than layered on after deployment.
“Cyber’s an enabler for organizations when they look to commit to actually moving to a digital modernization story,” he explained.
At Leidos, defensive cyber is integrated across practice areas including cloud, data center, networks, AI, information advantage modernization and enterprise user experience.
“Nobody wants to buy a network anymore that’s not secure. Nobody wants to buy an app that’s going to leak their data,” Salmanson said.
He added that organizations often pay a higher price when security is treated as an afterthought.
“When it’s viewed as more of an afterthought in a comprehensive transformation discussion, success often comes much later in the process and at a much higher price.”
How Is Leidos Helping Agencies Move From Reactive to Proactive Cyber Defense?
One of the most significant proactive measures, Salmanson said, is reducing accumulated technical debt across federal systems.
“When we get rid of the technical debt or we reduce it significantly, we often reduce the attack surface that an adversary has to go after an organization,” he said.
Leidos also deploys cyber deception technologies to slow adversaries and illuminate malicious activity inside enterprise environments.
“It does slow them down and it exposes their activities in a way that when you’re looking in the right way, you can capture the way that they operate and codify it for your sensors to be able to use in the future,” Salmanson said.
In parallel, the company continues advancing training and cyber range capabilities to improve operational readiness.
Check out the full conversation below:
What Role Does AI Play in Defensive Cyber?
Artificial intelligence and machine learning are increasingly shaping cyber defense, but Salmanson cautioned against overhyping the technology.
“I think AI/ML is definitely on its way. It’ll be here soon, but I don’t know how to define soon. I think it’s not quite yet ready to take on a leading role,” he said.
Still, early adoption is delivering measurable returns.
“Our early adoption is really paying dividends now,” Salmanson said, noting that private AI models and curated large language models could eventually reshape security operations.
Rather than traditional security information and event management workflows, he envisions a shift toward detection engineering and response engineering supported by AI tools.
Why Risk Management Reform Matters
Salmanson also pointed to risk management reform as a major inflection point for modernization efforts.
“Risk management reform has to happen,” he said.
He expects authorization timelines for modern cloud-native systems to shrink dramatically.
“For new cloud native and container serverless based systems, we should be able to get to an ATO and continuous ATO hopefully within under a week in most cases,” Salmanson said.
He emphasized that RMF must evolve beyond compliance.
“It will not be compliance as a checkbox anymore. It will be enterprise risk management as actionable activities that everyone in the organization can support.”
Building Resilience in Contested Environments
Operating in contested and high-threat environments requires different design assumptions, Salmanson noted.
“If you know what you have and how it’s configured and what’s normal on your networks and you know what’s coming, then it’s pretty easy to defend,” he said.
Leidos incorporates automation, cyber deception and spectrum visualization technologies to support defense in contested spaces, including wireless environments where radio frequency spectrum awareness is critical.
When defensive and offensive cyber teams collaborate internally, he added, defensive capabilities improve significantly.
“It’s very easy to learn how to play defense better than the teams that don’t know how to play offense.”
Watch the Full Conversation
This interview is part of Executive Mosaic’s GovCon Conversations series featuring industry leaders shaping the future of government technology.
Watch the full video interview with Josh Salmanson to hear his insights on cyber resilience, AI adoption, risk reform and digital modernization strategy.
Subscribe to Executive Mosaic’s YouTube channel for more leadership interviews from GovCon executives.
