The White House is looking to hire its first-ever chief information security officer (CISO). There’s little doubt that appointing a Federal CISO is a long overdue response to a recurring problem: the inability to properly secure government systems and sensitive data. The list of government agencies experiencing security failures is lengthy, from the Office of Personnel Management attacks in 2013 and 2014, to the State Department email system in 2014, to the latest attack on Department of Justice and Homeland Security computer systems.
According to the job posting for the newly created position, the Federal CISO will be in charge of federal “cybersecurity policy and strategy,” and have “oversight of relevant agency cybersecurity practices and implementation across federal information technology systems.” It’s encouraging to see so much emphasis placed on the critical role of security policy. Effective, agency-wide IT security policies serve as the backbone to any successful security program, as they provide a framework and support mechanism for managing technologies, maintaining order and achieving organizational goals. They also help minimize threats, prevent security breaches and can assist employees in effectively managing risks.
But filling this role will be no easy task, especially considering the current IT security skills gap facing the industry. A CISO must take a holistic approach to managing a security team, creating an atmosphere that challenges and recognizes the security team while taking stock of the skills and the tools they have at their disposal. What would my advice be to the person who ultimately lands this job? Here are five things to consider:
- Be a technologist. A CISO should be a person who can come up with real-world, reliable ways to protect networks, because he or she knows exactly how hackers break in. That requires a deep understanding of the motivations, skill level and methodology of hackers. Recognize that the hacker’s most common internal target isn’t the CEO – most likely, it’s someone within the IT organization, or someone who is the gatekeeper of the most sensitive information, such as human resources. In many cases, cybercriminals go after the weakest link in the organization, which means the CISO must build a policy that protects the most vulnerable stakeholders on the network. Defining the personas of the network’s enemies should inform a CISO’s security policies and strategies.
- Be a futurist. One thing is certain with each new governmental data breach: doing things the way they’ve always been done isn’t the answer. We’re at a point in time where we’re seeing profound changes in the way business and IT are operating. As we ride this digital disruption wave, technologies like cloud and software-defined networking are forcing organizations to look at cybersecurity, risk and compliance in a new way. The incoming Federal CISO must understand that these are not small, incremental changes. They will require a fundamental transformation in some of the core foundations of IT security.
- Be a realist. Clearly, outsider threats at the federal level are a huge concern, with nation state attacks from China, Russia, North Korea and the Middle East escalating by the week. But realists know that a large amount of blame for cybersecurity failures can be placed directly on the network’s own users and managers. The Edward Snowden incident illustrates this with painful clarity. The ultimate insider threat, Snowden exploited the government’s poorly created and enforced security policies, inadequate system structures and visibility, haphazard oversight, and minimal education on best security practices. This made it easy for him to gain unfettered access. The incoming CISO must assume that a breach has already occurred — and that poor user behavior and poorly maintained systems are likely to blame.
- Be vigilant. While many CISOs spent a majority of their time worrying about preventing the next zero-day attack, Gartner’s research shows that 99 percent of cyberattacks are based on known vulnerabilities in vendor software or hardware. In other words, cybercriminals don’t need to re-invent the wheel to get results. That’s why attack vectors such as spear phishing are still being used – they work. The Federal CISO must resist overemphasizing zero-day defenses, and instead build out a comprehensive security policy focused on vulnerability management and patching, as well as an agency-wide policy on network segmentation, regulatory compliance, and cloud security.
- Be humble. CISOs need to admit that they don’t have all the answers. This means evaluating and accepting the areas in which they aren’t delivering, and then make the right improvements. Be honest and ask the hard questions, such as, “Is is our technology truly solving a challenge, or is it causing more problems?” They also need to accept feedback and recommendations from their teams about the best approach and tools to fill in the gaps where things aren’t working well.
There’s no question that the incoming Federal CISO will have a huge workload. The role will obviously require a lengthy resume of security and IT experience. But it also calls for someone who is a visionary, with an eye to the future of technology. Most of all, a good CISO must marry this experience and spirit of innovation with the business goals of the organization. It’s essential for CISOs to lead the charge, driving innovation as needed, while reducing complexity wherever possible.