How Chief Information Security Officers put cybersecurity at the top of officials' minds.
Say you're a beef inspector. Or a firefighter. Or a doctor treating critically ill patients. Do you think much about cybersecurity? Is it integrated into your daily work routine? The answer probably is no -- but federal officials are hoping to change that.
Cybersecurity already ranks as a top priority at agencies such as the Defense Department, Homeland Security department or in the intelligence community. Increasingly, cyber awareness is spreading throughout the government, but those in charge of implementing IT security into daily operations are finding it is difficult to catch up with threats, let alone get ahead of the curve.
Often, these types of responsibilities fall into the hands of the chief information security officer, or CISO. That's usually the person saying, no, you cannot use your personal iPhone on federal networks, or no, you should not plug that jump drive you just found into your work computer. The CISO also must find ways to keep agencies safe from cyber threats.
"We don't have a big stick. People assume we say, 'you do this,' and that's the end of the discussion," said Chris Lowe, associate CIO and CISO at the Agriculture Department. "At different organizations that may be the case...but in a loosely federated civilian space, it's very hard to say do it or else, because 'or else' means I'll just have to work around you."
Lowe and other CISOs spoke at the FOSE conference in Washington May 14. FOSE is sponsored by 1105 Media, the parent company of FCW.
"This is a process where you have to evangelize what you're after," Lowe said. "You say ['continuous monitoring'] and people's eyes glaze over. You have to show them what it means for them, why it’s useful and how it will benefit them."
That evangelization includes showing agency officials how cybersecurity relates to their agency mission, he said. "Some of the people have been worked there for most of their lives. They live their mission; it's who they are both personally and professionally," he said. "They do what it takes to get the job done. If you can't tie enterprise security into that mission somewhere, then you're not going to get a response."
Integrating IT security also hinges on building networks of teams – a coalition of the willing, according to John Rasmussen, CISO and associate privacy officer at Oregon Health and Science University.
"Network building is the most important part of the job; you have to win advocates for moving forward with security controls in our systems," Rasmussen said. "Meetings don’t seem productive, but when you're meeting with stakeholders you have to go out there...and make it real for them about what they're protecting and how you're helping them do their job."
For managers at most federal agencies, this probably feels familiar. But many, if not most, also feel the pinch in more than just the integration of cybersecurity into daily operations. Outside of DOD, DHS and the National Security Agency, it also is tough to attract the cybersecurity professionals desperately needed to defend government networks against attacks. And even at the agencies that appear most alluring to would-be cyber pros, significant shortages remain -- even as managers struggle to figure out just whom they should be hiring.
"Where are our cyber professionals coming from, and what might their background look like? I'm fortunate to have a doctorate in electrical engineering, but there's almost none of me," said Ronald Layton, deputy CIO at the Secret Service.
"For every U.S. graduate with a bachelor's degree in engineering, India produces 200 to our one," Layton continued. "What we really need is hard science and soft science. It's not just someone who can sit down and do HTML. We need both sides of that coin, and both are equally valuable."
While the problems are not necessarily new, the accelerated efforts to address the problems – education outreach, increased training, broader awareness and federal funding boosts – are promising, the officials said. It would appear the cyber evangelism has taken root. Yet they still fear falling behind.
"It's a slow process," Lowe admitted. "I've said it before and I'll say it again – security is not a quick win. You have to deal with the people. Technology is never the answer. It's got to be about engaging the hearts and minds to push the envelope to a new paradigm."