CIOs urged to flex their financial muscle

CIOs, CISOs, use your hammers.

Retired Brig. Gen. Gregory Touhill, deputy assistant secretary for cybersecurity and communications at the Department of Homeland Security, urged top federal techs to use the powers Congress has given them to keep things on track in their agencies.

“The CIOs and the CISOs have a hammer that in the past they haven’t necessarily exercised well,” Touhill said in a panel discussion on cloud security issues at the Sept. 17 Billington Cybersecurity Summit.

The hammer lies in the form of another C-level leader.       

“CFOs aren’t supposed to be certifying funds unless the CIO says [any given project] has met all the different standards,” Touhill noted. “CIOs have the opportunity with all the different legislation that’s out there to actually go and enforce all of these things.”

He pointed to the Federal IT Acquisition Reform Act (FITARA), which beefed up the power of the CIO over funding and, ostensibly, strengthened the CIO-CFO working relationship.

But too few CIOs and CISOs are using their power for good, or at all.

“I’m not aware, and I sit on the federal CIO council, of any great exemplar right now,” Touhill said.

As if on cue, an audience member piped up with a tale of a CISO struggling to even understand what agency leadership was trying to do.

“My agency is about to move to full cloud implementation,” a woman, who said she was a security engineer working under the Corporation for National and Community Service CISO, began.

“Is it public cloud?” the panelists interrupted.

“I don’t know!” she responded. “That’s part of it. I’m not exactly sure, from the security standpoint I’m like, ‘OK, well what stance do I need to take as the security person as far as guiding this move to the cloud?’”

Michael Cassidy, the Justice Department’s chief cybersecurity architect, stayed after the panel to talk through problems and potential solutions with the CNCS engineer, who explained that she and the CISO had been included in the cloud move discussions only midway through the process.

“We don’t want to stop any good work,” she told FCW. “We just want to understand, and make sure it’s secure.”

The visibility and control issue obviously varies from agency to agency. At highly decentralized NASA, for instance, outgoing CIO Larry Sweet controls only about 10 percent of the IT budget.

But wherever they can, CIOs need to be directing funds into well-planned investments to counteract the trend of federal IT spending “head[ing] the wrong way.”

One upside of cloud, DOJ’s Cassidy noted, is that vendors can potentially force updates and patching on which agencies have lagged.

“As we go more and more to the cloud we’re going to see, ‘Well, your IE 9, 10 browser even though Microsoft might support it, we’re not going to support it in the cloud,’” Cassidy said. “We’ve seen that with several [software as a service] providers over the last couple months.”

But Cassidy and Touhill both affirmed that agencies shouldn’t have to rely on outside forces to keep them up-to-date and secure. That power lies with the CIO and CISO, if only they’ll use it.