CISOs: No easy job description
With Web attackers trying to pick every agency cyber lock and electronically masquerading as authorized visitors to gain access to federal networks, chief information security officers must use an array of talents to protect agencies’ systems.
Despite the numerous federal mandates that cover many facets of network protection, CISOs worry about attacks on agency networks, systems and Web sites, said Jerry Davis, deputy chief information officer for information technology security at NASA.
“The Web attacks are unrelenting,” he said. “Managing security around our 8,000 Web sites is daunting, and the bad actors know it.”
Davis said he must also ensure that NASA’s 4,500 applications, 80,000 desktop and laptops PCs, and 15,000 servers at 75 data centers are protected.
Configuration management ranks high as a problem area, he said. Hackers can enter networks through vulnerabilities in a system or application, establish a foothold, and then move laterally across the enterprise, Davis said. In the process, they cover up the weakness that allowed them to enter.
“If I have good identity management, I can answer the basic questions when situations happen of who, what, when, where, why and how,” he said.
CISOs strive for situational awareness, a near real-time depiction of an organization’s security posture with the ability to identify threats, vulnerabilities, and the status of resources and assets, Davis said. But that type of awareness is elusive, he added.
“What keeps me awake is what’s happening in near real time and how do I get my hands on the information so I can act and respond,” Davis said.
Therefore, CISOs must assume a variety of roles to reach all agency organizations with their message about the importance of IT security.
CISOs are generally viewed as technicians and policy enforcers who ensure that agency networks and information are secure. However, effective CISOs also operate as managers of service organizations. They advise and coach agency customers and make themselves part of business functions so they elicit support from agency organizations in complying with information security.
“CISOs have to be managers, too,” said Michael Castagna, CISO at the Commerce Department. “CISOs have to be fully integrated in the business and have an understanding of what the business requirements are in order to do their job effectively.”
CISOs play a crucial role in system development by introducing security early and communicating frequently about its importance, Castagna said.
“As a CISO, you have to proselytize about technology’s benefit, but you also have to warn about technology’s danger because you’re part of a team, and technology is moving ahead,” he said.
It is critical to have the right people working on the issues involved in information security requirements and mandates, Davis said.
Mandates “come over the bow like a flood of water,” he said. “So the point is how to manage all of that.” With mandates, there is also the administrative overhead involved in implementing them and tracking progress.
“I spend maybe the first eight hours of my day just dealing with the administrative overhead and the second eight hours dealing with the real security issues,” Davis said.
Davis tries to handle those issues by structuring the agency’s information security program so that managers in his area run it like a mini-business.
“There just aren’t enough resources out there, whether it’s dollars or people, to manage this,” he said.
That’s where agencies often must decide not to do something they should because they don’t have the resources, often referred to as risk trades.
“It’s what all the CISOs and all IT folks are dealing with,” Davis said. “What those risk trades are is a decision you have to make with your senior leadership, then in communication with the Office of Management and Budget and Government Accountability Office about what it is that you can and cannot do.”
Michael Brown, director of the Federal Aviation Administration’s Office of Information Systems Security, said he uses data visualization to provide situational awareness about information security.
“I had to take all that information and portray it in a way that it related back to the business so the folks who gave out the money understood exactly what it is that I did to be able to enable the business to do the job they’re supposed to do,” he said.
“I could put up all kinds of colors — red, yellow, green — and pie charts, but if I didn’t relate it somehow to what we do, the message is missed,” he added.
For example, if he could demonstrate that poor information security would affect the operations of a major air traffic facility, senior executives would say, “ ‘I understand it now,’ ” Brown said. “ ‘We’ve got to do something. And you have to get more money to prevent that from happening.’ ”
One of the big challenges in IT security is the human element, said Patrick Howard, CISO at the Nuclear Regulatory Commission. Technology is not as difficult to change as the people and processes involved.
“It’s human nature for people to try to work around security policy to do their job,” he said.
Experts say it will take more education for program officers to get security incorporated into system development earlier. In the meantime, offices that oversee information security must be more visible, perhaps by taking on a marketing role.
For example, CISOs can communicate to program managers about how their offices “can support their organization and help them meet their business security needs and keep their project on schedule,” Howard said.
“Customer relations is really big in IT security, to be an enabler,” Howard said. “And you have to get out from behind your desk to do that.”
Davis said he encourages his managers to be “accessible, approachable, responsive and take accountability.” He tries to let the business units know that the IT security program is a service provider and that there’s a security solution for every technology and service.
“You have to be good business, marketing and sales people to let the customer know what’s available, and before they build anything, go and talk with them and see what the security requirements are,” he said. “From there, it’s a matter of managing expectations.”
CISOs try to help program managers view security as an enabler instead of a stumbling block, Brown said.
“If you can show your developer, your users and program officers that what you do is what will allow them to do their job better and more efficiently and more securely, then you make a business case that says, ‘This guy is on my side. He’s somewhat of an irritant, but at least he’s going to help me do my job a little better,’” he added.
One of the leading concerns for Howard is keeping projects on schedule while ensuring that security controls are incorporated and tested properly.
“It’s a fine balance to meet a schedule while ensuring that the minimum security controls are implemented and that you have sufficient information based on sound testing that those controls are functioning properly,” he said.
In the past, CISOs had a tendency to be roadblocks, Davis said. They didn’t always understand the business drivers and requirements, and they focused solely on security, he said, adding t at he tries to be a “yes guy” when managers come to him.
People want to do the right thing if they understand it, he said. For example, if managers want to use wireless devices, he tells them that they must lock down the access points and monitor them. Then they understand the need for security.
“I like to get in there very early when programs and projects start to pop up,” he said. “I tell project managers you’ve got to set up a security team now because they’ll probably save 50 percent upfront.”
Problems typically crop up, and it’s more expensive to add security later. “With some of our larger programs, like our Constellation program, I have a daily conversation with the team,” Davis said. “You’ve got to get in there early because the cost does get more the longer you wait.”
Davis said he develops a management plan and schedule for all the activities that he anticipates happening in the next three to five years. Then he maps those activities and anticipated costs to his budget. Priorities will shift, but he includes information security strategies and aligns them with the agency’s business needs.