Influencers: Incoming federal CISO can improve US government鈥檚 cybersecurity
The person who fills the newly created US chief information security officer position will be able to improve the government鈥檚 cybersecurity, a 77 percent majority of Passcode鈥檚 pool of digital security experts听said.
Hiring a CISO to oversee the security practice of federal agencies and the overhaul of the federal government鈥檚 computer systems is a major part of the Cybersecurity National Action Plan听听鈥 and some security experts initially worried it would prove a massive (and maybe impossible) undertaking.
But Influencers who responded to Passcode鈥檚 survey appeared cautiously optimistic about the new CISO鈥檚 ability to drive change across the government.
鈥淣aming a federal CISO is the right move,鈥 said Tom Cross, CTO of Drawbridge Networks. 鈥淭he best way to identify critical weak spots like the Office of Personnel Management database and concentrate the right level of resources on them is to take a high level, systemic view of everything the federal government听has.鈥
However, like many other Influencers, Mr. Cross pointed to potential obstacles to the CISO鈥檚听success.
鈥淪uccess in this role in the federal government may be tough,鈥 he said. 鈥淭he position that has currently been defined may not have the level of seniority required to be effective.鈥
For the CISO to be effective, added Mark Weatherford, a principal at The Chertoff Group and former Department of Homeland Security official, the White House will need to empower the person with 鈥渢he right authority and responsibility.鈥 After all, he said, 鈥渋f it鈥檚 another figurehead role, it will be a waste of听time.鈥
鈥淓ven worse, it will display once again that Washington can鈥檛 get out of it鈥檚 own bureaucratic听way.鈥
Changing the government鈥檚 culture 鈥 and getting employees at the various agencies on board with taking security seriously 鈥 will be a major challenge, several Influencers听said.
鈥淎 real CISO would first focus on basic security hygiene - which is severely lacking at many government agencies,鈥 said John Pescatore, director of emerging security trends at the SANS Institute. 鈥淗owever, if this position is just yet another talking head about security, no progress will be听made.鈥
Much of the optimism that the CISO can improve the government鈥檚 cybersecurity is because Influencers say it鈥檚 extremely poor as it stands. As Jonathan Zittrain, cofounder of the Berkman Center for Internet and Society at Harvard University, puts it: There are 鈥渇ew places to go but听up.鈥
A 23 percent minority of Influencers said the new CISO cannot improve the government鈥檚 cybersecurity.
鈥淎s in past attempts to inject cybersecurity into the federal government from the top down, this can only work if the CISO has the authority to impose change and sanction those people and agencies who fail to change,鈥 said Nick Selby, CEO of law enforcement security company StreetCred Software. 鈥淭he 鈥榓ll-the-responsibility-but-none-of-the-authority鈥 model has been tried before, and failed quietly.鈥
Others, like Sascha Meinrath, director for tech policy think tank X-Lab, said simply putting a person in charge of flawed government data collection and retention practices will all but ensure the CISO鈥檚听failure.
鈥淲ithout a fundamental rethink of our information architectures and data collection and retention policies, the incoming CISO is destined to fail to meaningfully improve [US government] cybersecurity,鈥 Mr. Meinrath said. 鈥淲hat鈥檚 needed are radical reductions in the amounts of information stored and the amount of time these data are kept on听file.鈥
Instead, he adds, the US government 鈥渃ontinues to pursue practices that more and more information, kept for ever-increasing amounts of time, can somehow be made 鈥榮afe鈥 鈥 which is decidedly a fool鈥檚听errand.鈥
What do you think?听听of the Passcode Influencers Poll.
Who are the Passcode Influencers? For a full list, check out our听
Comments:
YES
鈥淚mprovement is a low bar.鈥 -听Charlie Miller, Uber鈥檚 Advanced Technology Center
鈥淚n order to be effective, the federal CISO position has to have both responsibility and authority to improve security at federal agencies. A real CISO would first focus on basic security hygiene - which is severely lacking at many government agencies. However, if this position is just yet another talking head about security, no progress will be made.鈥 -听John Pescatore, SANS Institute
鈥淲hile I continue to remain concerned about the lack of independent review of agency budgets, the creation of a federal CISO should help raise the profile of cybersecurity within the Office of Management and Budget and provide a single focus for managing operations across the government. The President鈥檚 Cybersecurity National Action Plan and the FY2017 budget proposal both acknowledge the need for more centralization of .gov cybersecurity, which I have long sought and which I believe is essential in the wake of the OPM breach.鈥 -听Rep. Jim Langevin (D) of Rhode Island
鈥淵es - if the CISO is given appropriate authority, including authority to impact agency security budgets.鈥 -听Influencer
鈥淢ust disrupt everything, as it hasn鈥檛 worked in the past. New approaches, new technology and techniques, and a big bully pulpit to lead change. The right person can make a big difference!鈥 -听Influencer
鈥淧ick a name from the phonebook and that person could improve the US government鈥檚 cybersecurity.鈥 -听Marc Rotenberg, Electronic Privacy Information Center
鈥淭here is still a lot of immediate action needed. At least one in five government employees does not use two-factor authentication.鈥 -Influencer
鈥淭he incoming CISO has a potential role that can be used to educate the public, develop public/private sector cooperation, and promote standards.鈥 -听Chuck Brooks, Sutherland Global Services
鈥淚nnovative thinking and the building of trust between all actors in leadership in the digital age are crucial to its positive advancement.鈥 -听Influencer
鈥淭he CISO can focus on a number of areas including changing the culture around security. That is where the executive level emphasis can have impact in the government. Tackling workforce management issues after that would be a steep challenge but improvement is achievable.鈥 -听Robert Lee, Dragos Security
鈥淪ince the standard or scale of 鈥榠mprovement鈥 is not specified, then yes, if the new CISO updates the security patches of even one USG computer, then the USG鈥檚 cybersecurity has been 鈥榠mproved.鈥 It鈥檚 hard not to improve something, when you鈥檙e starting from such a low base. But, better to light candles than curse the darkness. Hopefully, the new CISO will articulate and formulate cybersecurity standards and policies which will improve the overall security standards of the USG. Hopefully.鈥 -听Influencer
鈥淲hile it is unclear how much authority, budget, support, and direct reports the new position will have, at this point a CISO advocate for the federal government is a good thing. That said the position should be larger in scope, a Federal CSO reporting in parallel with the CIO instead of to the CIO. Many times a CISO reporting to the CIO is like sending lettuce by rabbit.鈥 -听Jeff Moss, DEF CON Communications
鈥淢arginally at best.鈥 -听Influencer
鈥淣aming a CISO will help unify the civilian government鈥檚 approach to cybersecurity.鈥 -听Stewart Baker, Steptoe & Johnson
鈥淲hile the proof will be in the authorities granted to and priorities undertaken by the federal CISO, it is imperative the government lead by example if they expect the private sector to do the same.鈥 -Frank Cilluffo, George Washington University
鈥淪omeone need to take oversight and accountability seriously for a change! Which neither USG or Congress have done yet!鈥 -Influencer
鈥淵es the CISO can improve cybersecurity - but whether he or she actually will is a different question. Like at any major organization, the USG CISO can be effective if the position is empowered and limited if the role is undercut. Time will tell.鈥 - Influencer
鈥淕reater coordination of interagency resources will help drive better risk mitigation.鈥 -听Chris Finan, Manifold Security
鈥淪mart people making good decisions in the right places can always make a difference.鈥 -听Influencer
鈥淥nly if there is massive overhaul of the dilapidated, antiquated procurement, certification and accreditation processes.鈥 -听Scott Montgomery, Intel Security
鈥淭he Federal CISO will help drive a unified strategy with the help of the Federal CISO Council and the support of the Federal CIO, and will help ensure needs are raised with sufficient energy to garner positive action.鈥 -听Influencer
鈥淚t would be hard for them not to. Due to the status quo regulatory and budget routine it makes it difficult to take a risk based approach. What the federal government ends up with is least common denominator security.鈥 -听Chris Wysopal, Veracode
NO
鈥淐an any single person make a meaningful difference in this massive broken system?鈥 -听Influencer
鈥淲ithout a fundamental rethink of our information architectures and data collection and retention policies, the incoming CISO is destined to fail to meaningfully improve USG cybersecurity. What鈥檚 needed are radical reductions in the amounts of information stored and the amount of time these data are kept on file. Instead, the USG continues to pursue practices that more and more information, kept for ever-increasing amounts of time, can somehow be made 鈥榮afe鈥 鈥 which is decidedly a fool鈥檚 errand.鈥 -Sascha Meinrath, X-Lab
鈥淭oo little time left in the Obama administration.鈥 -听Influencer
鈥淎ccording to the job description, the role has no authority to do anything. The person getting this job will sit in a lot of meetings but that is about it.鈥 -听Rick Howard, Palo Alto Networks
鈥淭his is tough. Perhaps one person can provide some leadership, but the situation didn鈥檛 evolve overnight. Blaming victims of attacks isn鈥檛 appropriate, but firing non-performing personnel with security duties almost certainly is, and doesn鈥檛 happen anywhere near as much as it probably should in the public sector.鈥 -听Influencer
鈥淭he CISO鈥檚 effectiveness will be based on personality and cooperation. The real problem is the governing structure (CIO Council) which cannot compel compliance.鈥 -听Influencer
鈥淭he position has insufficient resources, the wrong tools and no real authority. Federal government is too siloed and this does nothing to break down the walls.鈥 -听Influencer
听
