A famous leadership coach said, “Only Superman can leap tall buildings in a single bound, the rest of us must chip away at our goals one day at a time.” What a befitting quote for the newly created position of Federal CISO declared by Obama last week. This newly appointed role of organizing, equipping, training and leading the nation’s cybersecurity programs is not only ominous; it has historically been an utter failure.
Many would argue that the top leader of the information security program was the position of Cybersecurity Czar, first created by George W. Bush. Although the nation’s first Cyberczar was outspoken and very knowledgeable his style and approach led him to depart the position within two years of tenure. Ironically many books were written about this time and many debates, but I think one aspect of this new position which is agreed to by most is that it accomplished little to prepare the country for cybersecurity posture and lead the country to the next level.
Let’s see if we can offer some brief lessons from past failures and look towards the United States building a world-class respectful program.
New Federal CISO vs. Cybersecurity Czar?
Now, one might venture so far as to ask, if we already have a Federal Cyber Czar what is the difference between this role and newly minted Federal CISO role?
Well, let’s look at the Responsibilities of the Cybersecurity Czar:
- Orchestrate and integrate the government's cyber policies.
- Work with the Office of Management and Budget to make sure federal agencies have the necessary funds to deal with cybersecurity issues.
- Coordinate the response to a major computer incident or attack.
Fulfilling these duties requires the cybersecurity czar to collaborate with various government agencies. For example, he works with the U.S. Department of Defense (DoD), which operates both a cyber command to protect military computer networks and the Defense Computer Forensics Laboratory to deal with cases involving counterintelligence, terrorism and fraud, and that’s just scratching the surface.
Now let’s look at the job description of the new federal CISO illustrated by the Federal CIO, Tony Scott, to whom the role would report:
- Serve as the federal government's lead cybersecurity strategist in cyber-risk assessment of the federal IT environment
- Act as the liaison between the White House and the departments of Homeland Security and Defense, the Office of the National Intelligence Director and agencies' CISOs for all federal cybersecurity activities.
- Receive top secret/sensitive compartmented information security clearance. The federal CISO will handle information concerning and derived from sensitive intelligence sources, methods and analytical processes.
- Chair the Federal CIO Council's Information Security and Identity Management Committee as part of his or her duty to effectively coordinate and align agencies' CISO IT security governance.
- Establish a government-wide program to address the recruitment, retention and training of cybersecurity experts, with a focus on not just technical experts, but also versatile professionals who can effectively expedite IT along with the government's mission and business functions.
- Design, implement and maintain effective cybersecurity performance measures for the federal government and lead the effort to maximize the value and effectiveness of security performance measures associated with the Federal Information Security Management Act,
The new CISO will be housed in the Office of E-Government and IT within the White House Office of Management and Budget (remember this is where the original Cyberczar position was created) and receive an annual salary of between $123,175 and $185,100 (compared to the average chief security officer salary of $140,250 to $222,500, according to the Robert Half Technology 2016 Salary Guide).
Four Suggestions for future CISO Success
Have a Vision and sell it: No one with authority has articulated what the future of Cybersecurity means to the United States and / or has been able to sell it. Be the first one!
Patience: This is not a sprint, but a marathon. The federal government needs someone who can balance the idea of a future vision, with the realities of how our government works and the ‘sausage factory’ it is in pursuit of the overall vision.
Investment Balance: The idea that the government is underfunded and lacks proper resources is a farce. The newly minted CISO will benefit greatly by trying to maximize the investment dollars of what is being spent already
Establish a new framework: With accountability we need responsibility. For a high-performing CISO role to properly work, strategy and operations must be accountable to the role. This also means that compensation and a set of rewards and punishments must also be appropriately set. If the new CISO accomplishes nothing more than setting in place a workable future structure whereby a security professional can be adequately compensated without a personal financial tradeoffs in order to employ their talents with the US government, then they would have moved a mountain.