Why senators need a CISO

Shutterstock image:  Capitol building in Washington, D.C.

In the age of mobile devices and cloud computing, people can be the biggest threat to an organization's security.

"The perimeter is the user, and we have a huge problem," said Linus Barloon at a Feb. 16 breakfast hosted by cybersecurity analytics firm RedSeal.

As IT security branch manager at the U.S. Senate Office of the Sergeant at Arms, Barloon is charged with protecting the networks of 100 senators in the nation's capital and at some 470 state locations. Each individual network typically has 50 or fewer users.

He said one of his biggest challenges is effectively explaining the "so what?" of cybersecurity to his customers. He lacks the authority to issue mandates to Senate employees and doesn't brief senators on cybersecurity issues, so he has to be creative and effective with his messaging.

"My challenge that I deal with on an everyday basis is how do I quantify this" for agency decision-makers, Barloon said. "[Chief information security officers], guys like myself, we have that responsibility to give them that information to make that decision and then track that over time so from a CIO perspective, she can track where...her security investment [is] going."

The Senate provides a demonstration of the risk assessments customers make. For instance, the websites of senators Rand Paul (R-Ky.) and Cory Booker (D-N.J.) use HTTPS, while others, including presidential candidate Marco Rubio (R-Fla.) and Senate Minority Leader Harry Reid (D-Nev.), are still on HTTP -- despite the HTTPS-only standard the Office of Management and Budget pushed last summer.

"You can kind of look at it like state police," Barloon said. "We're responsible for securing the roads, securing the alleys, securing the streets and securing all those types of functions, but our security to some degree stops at the doorstep of the member's office."

Individual senators' systems administrators make the calls inside those offices. Barloon's team offers to meet with the administrators monthly and supply security certificates, but the decisions are up to them.

Although he might not like some of those decisions, Barloon didn't blame users. "I don't know that we as cybersecurity professionals have educated the users...on the importance of why cybersecurity is a big deal," he said.

To help get that message across, Barloon has brought in cybersecurity pros from organizations such as the National Security Agency and Virginia Tech to offer their perspectives.

Nevertheless, he said CISOs often need to work with their customers' risk profiles. In those cases, resilient networks are essential.

"The president, the vice president, the first lady -- they all have their job to do," Barloon said. In a recent effort to secure the White House Communications Agency, "taking the network down for a patch wasn't necessarily going to be an option, so I had to come up with some resiliency."

About the Author

Zach Noble is a former FCW staff writer.


  • Defense
    Soldiers from the Old Guard test the second iteration of the Integrated Visual Augmentation System (IVAS) capability set during an exercise at Fort Belvoir, VA in Fall 2019. Photo by Courtney Bacon

    IVAS and the future of defense acquisition

    The Army’s Integrated Visual Augmentation System has been in the works for years, but the potentially multibillion deal could mark a paradigm shift in how the Defense Department buys and leverages technology.

  • Cybersecurity
    Deputy Secretary of Homeland Security Alejandro Mayorkas  (U.S. Coast Guard photo by Petty Officer 3rd Class Lora Ratliff)

    Mayorkas announces cyber 'sprints' on ransomware, ICS, workforce

    The Homeland Security secretary announced a series of focused efforts to address issues around ransomware, critical infrastructure and the agency's workforce that will all be launched in the coming weeks.

Stay Connected