Without a doubt, the breach suffered by the Office of Personnel Management last year thrust federal chief information security officers into a new kind of spotlight. Similar to the emergence of chief information officers in the late 1990s and early 2000s, when IT started to take over how agencies deliver services and meet mission, executives are looking to CISOs to provide answers to the never-ending cyber threat.
“We received a lot of attention in the cyber world and I think that’s good,” said Rod Turk, the CISO at the Commerce Department, during the April 5 breakfast sponsored by AFCEA chapter in Bethesda, Maryland. “It’s mind-boggling the number of reports we have to send to the Office of Management and Budget, the Homeland Security Department and Congress, but what that does in addition to just being reports is those results are briefed at a higher level. The President’s Management Council and the White House have used those reports, and we have immediate interest at the deputy secretary and secretary levels into what’s being reported out of our office.”
Turk said he had a recent meeting with senior executives at Commerce and one made a point to the secretary about how important it is to have visibility into the agency’s cyber health.
Chris Lowe, the Agriculture Department’s CISO, said he’s seen a lot of urgency around cyber over the last year. But, he said, part of challenge for CISOs is to figure out what is unique to the mission space or department, and how to develop appropriate risk and governance models.
As expected, the panel’s conversation shortly moved to the White House’s plan to hire a federal chief information security officer, which it announced in February as part of the Cybersecurity National Action Plan (CNAP).
The Office of Management and Budget’s job announcement for the federal CISO position closed Feb. 26, and now officials are going through the vetting process.
So while OMB looks for the best candidate, the role of the federal CISO remains a hot topic for discussion particularly now as spending on cybersecurity is increasing to $19 billion, and concerns about attacks remain high.
“As they created a higher-level federal CIO and that person became a leading voice, I’m hoping the federal CISO will also do the same,” said Tom DeBiase, deputy CISO at DHS. “It would give all of us a voice at that table and pull together a CISO council that will be a guide for all departments. Given all the requirements of cybersecurity right now, having a federal CISO is going to help a lot as long as it doesn’t become another set of reporting requirements that we have to do.”
DeBiase added that the federal CISO shouldn’t try to control all the government CISOs, but help develop consensus around what federal CIOs, OMB and others need to do to protect federal systems and networks.
“The federal CISO needs to be a partner for all of us,” he said. “If they bring someone in who will have a lot of power, that’s probably the wrong way to go. The person needs to be an influencer, which is the better way to go.”
Lowe said he’s not aware of federal CISOs as a group discussing the role with OMB.
“I know individuals had conversations and we’ve certainly had it with our OMB folks and they are very receptive of that idea because they too struggle with how to provide a consistent voice to the federal security community,” he said. “I think you will see more of that coming through some of the traditional venues, whether it’s the federal CIO Council or the Information Security and Identity Management Committee (ISIMC), we work to improve the practice. We work to find a common space and that’s where a federal CISO would be hugely valuable in making those concerns align.”
As federal CISOs try to “influence” OMB about what the role should look like, I asked a couple of former government IT executives to weigh in.
Pat Howard, a former CISO with the Nuclear Regulatory Commission and the Department of Housing and Urban Development and now a senior cybersecurity consultant at Kratos SecureInfo, brought a similar view of Turk, DeBiase and Lowe.
He said the federal CISO should focus on prioritization, oversight, advising and governmentwide budgeting.
Howard said in an email to Federal News Radio that among the most important requirements of the federal CISO area the ability to lead people and manage change, manage crises and have knowledge of industry cybersecurity capabilities.
He also said a CISO Council made up of department and agency CISOs would be a big step forward and should “establish policy positions and program priorities to drive governmentwide cybersecurity efforts.”
“The CIO Council was never willing to give sufficient autonomy/authority to its cybersecurity subcommittee,” Howard said. “There were other governmentwide cybersecurity committees that competed with a potential CISO council, such as the DHS-sponsored, large-agency CISO forum. This was great for communicating agency-level issues, but was not regarded as authoritative.”
But Rob Carey, a former Navy CIO and deputy DoD CIO, said creating a new CISO council may not make sense in the overall scheme of things.
Carey, now vice president of Navy and Marine Corps programs for Vencore, said in the past when this issue came up before the CIO Council, the concern always has been about separating security from the CIO’s role. Carey served a co-chairman of the ISIMC for several years when he was in government.
“The function of security needs to be highly and closely tied to information management that the CIO has to be in charge of because security is a function that must be embraced by the CIO,” he said. “Having another council will create two separate vectors. The CIO is sanctioned in law and is doing its thing and CISO council doing its thing telling the CIO council what it should or shouldn’t do isn’t a good thing. I would love to have the CISO sitting behind CIO council.”
Carey said that’s why the federal CISO should be an orchestrator or conductor of all federal cyber activities, and work closely on budgets and prioritization of initiatives.
“There was a call to make the CISO a direct report to the deputy secretary and a peer to the CIO,” he said. “In my opinion they need to be bonded, not fighting. CISOs can’t run around the boss to say they are doing something wrong. They need to come to the boss as a unified function.”
Carey said the White House’s cybersecurity adviser role, currently held by Michael Daniel, has seen limited success mainly because it wasn’t responsible for the actual outcomes to improve federal cybersecurity.
That’s why Carey and other current and former federal executives agree that there is a need for a federal CISO as long as the person has the authority, responsibility and is positioned correctly to influence federal cyber efforts.