The story behind DOT's cyber makeover

Richard McKinney says that when he came to the Transportation Department as CIO in May 2013, the agency's reputation for cybersecurity was dismal -- marked by insufficient staff, inconsistent tools and siloed visibility.

"If you're not doing well in cybersecurity, that's like the canary in the coal mine," McKinney told attendees at the Aug. 13 Federal Forum in Washington, D.C. "It's indicative of other things. It's indicative of infrastructure and governance. I don't know anyone who is doing IT very well and screwing up in cyber."

When McKinney arrived at DOT, Chief Information Security Officer Joe Albough had already engaged Mischel Kwon and Associates, a cyber services and strategy consultancy, to do an analysis of the department's cyber posture.

A few months later, Kwon came to a meeting with DOT leadership and went through the cyber analysis, McKinney said.

"It was a very sobering experience for all the operation administrators there," McKinney said. "You could hear a pin drop when she was done and the secretary said, 'Richard, we're going to fix this'"

To accomplish that task, one of the things McKinney needed was to understand why DOT was so far behind.

What he found, he said, was that users were one of the main roadblocks — they were reluctant to engage on the issue and felt that taking additional cyber measures was inconvenient. So McKinney made using cyber tools mandatory for his 400-person staff, an act of will that began to bring people on board.

Under McKinney, DOT was in the first wave of agencies implementing the Department of Homeland Security's continuous monitoring program.

"This quest to be bulletproof isn't the right way to approach cybersecurity," McKinney said. "The right way to approach cybersecurity is thinking about how quick you respond, how agile you are, how quick do you share information about incidents and penetrations. It's more about how you operate day to day to day."