Federal CISO Schneider knew when to let the cyber cats roam, when to herd them

Grant Schneider probably never intended to be a chief information security officer. He started his career in financial management where he learned how the federal budget process worked.

That type of analytical, fact based approach served Schneider well when he made the transition to technology

He spent seven years as the Defense Intelligence Agency’s chief information officer before coming to the Office of Management and Budget—first on a two-year detail where he jumped into the data breach at the Office of Personnel Management and then in the deputy and finally federal CISO roles.

Schneider, who announced in August that he was leaving to join Venable law firm as a senior director of cybersecurity services, was not a flashy CISO, nor was he your typical cyber expert who prefers to remain behind the firewall and not discuss TTP (tactics, techniques and procedures).

He was always accessible, willing to listen to and answer, to the best of his ability, the hard questions whether about Chinese hackers or the early struggles of the continuous diagnostics and mitigation (CDM) program or why the Trusted Internet Connections (TIC) policy update took so long—by the way we were hopeful the final vulnerability disclosure binding operational directive would drop before Schneider left on Aug. 28.

Schneider’s success as federal CISO were probably not obvious to the casual observer because he rarely, if ever, signed off on a public policy nor did he announce new initiatives—both of which usually came from the federal CIO or even head of OMB.

But the behind the scenes work to get the Federal CISO Council and the rest of the IT and cyber community behind a strategy or concept was all Schneider and his staff.

Federal News Network asked cybersecurity experts who worked closely with Schneider over the last six years for their opinion on his impact on the federal cybersecurity community.

What impact did Grant Schneider have on federal cybersecurity over the last five years?

Josh Moses, the former chief of the cyber and national security branch in the office of Federal CIO at OMB: Grant was essential to reinvigorating cybersecurity leadership from the top of the house–the White House–he was a key strategic advisor as Trevor Rudolph and Tony Scott stood up the Cyber and National Security branch in OMB after the Federal Information Security Management Act Modernization Act of 2014 became law. His experience as an agency CIO helped shape the initial policy direction, and inform the hiring decisions for the team. Five years later, we have a strategic direction and much more comprehensive view of federal cybersecurity, maturity across both large and small agency programs, quality service and capabilities from the Homeland Security Department and a true community of practice. Grant drove these efforts in his leadership capacity at National Security Council and at OMB.

Josh Moses is a former chief of OMB’s cyber office.

Ross Nodurft, the senior director of cybersecurity services at Venable and a former chief of cybersecurity at OMB: It’s easier to ask where he did not have an impact. If we think about the time “post OPM,” Grant has either helped shape or directly led all of the major cybersecurity efforts to reform, modernize and bolster federal cybersecurity. During his tenure as the deputy federal CISO and then the Federal CISO, the government has established the CISO Council, developed cybersecurity workforce strategies, issued countless policy memos and tracked risk across the government.

Tony Scott, the former Federal CIO and now president of the Tony Scott Group: Grant played a critical leading role in the initial response to the OPM breach, and then helped craft and implement follow on initiatives including the National Action Plan, the Cybersecurity Sprint and many other policy changes that have come over the past few years.

What would you point to as 1 or 2 of his biggest accomplishments?

Nodurft: The National Cyber Strategy that Grant put together–given the dual hat of Federal CISO and senior director of NSC cyber–is very important. It elevates federal cybersecurity to a level commiserate with critical infrastructure and sets goals and guidance for how to deliver on those goals.

His work developing and issuing federal government risk reports where Grant and the OMB team (kudos to Josh Moses, Derek Larson, and Nick Ufier) developed a risk report that measured outcomes and tracked the risks across the federal enterprise. This reporting and way of measuring risk has enabled the federal civilian agencies to move away from a compliance focused approach to cybersecurity towards a true risk management approach.

His work to stand up the Federal Acquisition Security Council. That body and the processes it will oversee will help secure the federal government for years to come.

Scott: Organizing the initial response to the OPM breach was certainly one of them. At the time, the U.S. government had not experienced anything like that, and there was a great deal of uncertainty as to who should play what role, etc. Grant, based on his prior experience, knew what each agency was good at from a cybersecurity and investigative perspective, and most importantly, had a great personal network and relationships within the broader federal government that he could quickly leverage.

Tony Scott is the former federal CIO.

Beyond that, I think Grant was key to building a great team in OMB, and keeping that team focused on the most important activities over administrations and leadership changes.

Moses: Overseeing actions in support of Executive Order 13800—the 2017 Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure. The EO was a point of continuity between the current and prior administrations on this critical issue. The EO covered agency security, critical infrastructure security, workforce development and Grant was instrumental at quarterbacking its execution and coordination across the government. The output from the EO, be it the Risk Determination Report, the National Cyber Strategy and a series of supporting EOs, filled a void by setting strategic direction for national cybersecurity. That is no small feat, as agencies grapple with budgeting to maintain let alone expand cyber programs each year and Grant helped provide justification and a North Star for this program for years to come.

Perhaps unsung, Grant was also essential to driving cyber workforce initiatives in the last administration. He was a conduit between OPM and White House leadership, helping to identify and execute on actions that would build the talent pipeline and strengthen the workforce.

Getting agencies to improve cybersecurity is like herding cats, what made Grant successful as the Federal CISO?

Scott: I personally liked his style. He worked in a way that was informative, and collaborative, and with just enough nudging to get things done.

Moses: Grant is adept at listening, which is an essential skill when it comes to working with agencies and understanding the hundreds (literally) of unique challenges that agencies face. A great piece of advice he gave me was “become comfortable with not having an answer,” as you can find a reasonable, feasible way forward by listening to the room and collaborating. In other words, he’s really good at when to let the cat roam a bit before trying to herd them.

Nodurft: His willingness to listen and his ability to convene the right group of folks. He had the respect of the CISO community and that allowed him to reach out to the CISOs as well as their agency leadership to cut through red tape when needed.

What is the top priority for the next Federal CISO?

Nodurft: The next Federal CISO will need to tackle a governmentwide approach to cloud security, given the recent shift to virtual work environments. This will give them a chance to update Federal Risk Authorization Management Program (FedRAMP). Additionally, the next Federal CISO will need to work with agencies to establish flexible but similar approaches to supply chain cybersecurity.

Ross Nodurft is the a former OMB unit chief for the cyber and national security unit.

Moses: Keeping mission operations resilient in what may be a tough budget climate for cybersecurity over the next couple of years. Recovering from this pandemic and rebuilding government operations after the recovery are going to shift agencies’ resources and priorities. This should force a hard, “smart” look at using more software and cloud-based security solutions to support that resource shift. The next Federal CISO is going to have to keep agencies’ hand on the throttle in that climate and continue to guide agencies to that North Star for program performance.

Scott: Continue to build a great team – people with a few years’ experience in the OMB cyber team are highly sought after, and so recruiting and backfilling open positions will always have to be a number one priority.

Beyond that, I think it’s creating a vision of how federal agencies can best continue to leverage shared assets and common capabilities to address emerging needs vs. each agency doing its own thing, which, although great progress has been made, is an ongoing issue.