Plenty of chief information officers over the years have warned against becoming the “CIO of no;” that is, if you always tell employees no, they’ll eventually find a way around you. Tiina Rodrigue, chief information security officer for the Consumer Financial Protection Bureau, takes it a step further, helping employees to understand that security is “the path to yes.” Her goal is to help every CFPB employee understand their role in securing the enterprise, while always finding that middle ground that lets them accomplish their jobs quicker, better and more securely.
That’s been one of her biggest initiatives since she started in the position in 2018: making sure role-based training takes everyone into account, not just the cyber personnel. People aren’t usually malicious or dumb, she said. Instead, the problem is that they tend to look for shortcuts that can have unintended cybersecurity implications. Most people, she said, have higher privileges for sensitive data than they realize, and casual decisions can have cascading impacts.
“We’re not looking for new or exciting technology,” Rodrigue said. “In fact, just philosophically, I have found that adoption of new technology, when you haven’t fully used what you already have, will actually make you less secure. More technology is not always the answer. Making sure that you have a comprehensive security posture based off of policy, people, process and technology working together is the key here.”
“The last thing we want is for anyone to think that they have zero trust, and literally what they have is zero truth,” she added.
That’s one reason she spent a significant amount of time traveling to CFPB’s various regions to reinforce that people-first message and engage with them in as many different ways as possible. That included lectures, office hours, meeting people on their free time and other ways of connecting and getting the message across.
Rodrigue said building the desire is most important. People just want to get their jobs done. She wants them to want to get the job done securely. That’s a major shift in perspective.
“We pulled all of the major initiatives we had over 14 the summer,” she said. “We pulled them together into a campaign called SPF 23. And part of the strength of that is we built out the multi-level branding campaign around it to include an icon and everything along that line, taking elements both from gamification as well as nudge theory and worked it into helping people understand how what they do every day impacts how secure we are.”
One big part of that, she said, is stressing that when the agency pivots, that includes everyone, not just the cybersecurity team.
“Part of what we’ve had to do on a human basis — because we have not been able to patch the people — is we’ve had to make sure that they understand that this isn’t just cyber for cyber sake, but that it’s actually serving the greater purpose and that it is also their job to ensure we’re secure,” Rodrigue said.
It helps that CFPB is a smaller, newer agency — it’s only 13 years old, and it’s got around 5,000 employees. That means there’s less legacy technology to deal with, and it’s easier to shift the culture. It’s already 70% cloud-based, which Rodrigue said made it much easier to pivot to 100% remote work during the pandemic.
But that doesn’t mean Rodrigue is resting on her laurels when it comes to IT modernization.
“We have, much like the rest of the world, found that importance of configuration and making sure that drift does not occur. Otherwise you’re going all too fast and everyone’s getting furious,” she said. “We need to make sure that as we build things in the cloud, that they stay safe and that we are following the mechanism. So it really puts more emphasis on continuous monitoring and making sure that as other changes occur, nothing in the back roads changes to us. We want to make sure we’re intelligent with our design and that we’re secure by default.”
That means thoroughly testing every instance and aspect in the cloud, especially as the agency adopts new platforms. It means being intentional about changes to avoid unintended consequences. Rodrigue said she’s seen in industry where unintended consequences can have major security ramifications.
“We hope not to have that piano fall on us,” she said.
Daisy Thornton is Federal News Network’s digital managing editor. In addition to her editing responsibilities, she covers federal management, workforce and technology issues. She is also the commentary editor; email her your letters to the editor and pitches for contributed bylines.