CISA is growing up, CIO says
CISA's Bob Costello talks top priorities, challenges and growing pains and progress for a CIO office in a relatively young federal agency.
The Cybersecurity and Infrastructure Security Agency is just barely beyond the "toddler years." But its CIO Office is rapidly evolving and maturing to meet the moment, its Chief Information Officer Bob Costello said recently on the FCW Insider Chat podcast.
Congress established CISA as an operational component agency in the Department of Homeland Security in a 2018 law. Since then, the agency has had to reorganize offices and functions that had belonged to CISA's predecessor agency, the National Protection and Programs Directorate.
Now, the CIO office charged with the tech to make that mission run is "very quickly maturing what we're providing to the agency," said Costello.
"We're starting to provide more services natively at CISA [versus] always inheriting them from headquarters or using those solutions," said Costello. "So I think in the last year we've really started to pivot to make sure that the needs of CISA are uniquely addressed, because our mission is different now as an operational component."
Costello elaborated on the agency's growing pains and progress during a Tuesday event held by the Software Alliance, also known as BSA, noting that, "The office has changed dramatically in the last year and a half."
One change: "the prior CIO that was under the older construct of NPPD often actually didn't run any of the IT systems—so everything was either run by the mission side or by DHS headquarters," said Costello. "So in the last year and a half we're starting to take on a lot of additional work."
One big focus, he said, has been a shift to focus on ensuring that the tech his office is rolling out is meeting the needs of the people using it.
"How do we partner, particularly with the mission side, to ensure that we're delivering systems that they can utilize, and also giving them enough freedom to operate the way that they need to," said Costello. "They have to adapt as quickly as the adversary, so some of the old ways of always saying no won't necessarily work for them."
That understanding of the customer includes embedding CIO personnel across the organization, said Costello, to understand them better.
"When I first got there, there was a lot of cross-talk—the CIO's office was saying, 'No you can't do that'—but then, we didn't necessarily have a good understanding of what they were trying to do on the mission side," he said. Now, "we try to get to yes… Sometimes it's understanding the requirement better [or] understanding your customer better."
Organizationally, Costello said that the chief information security officer used to not report to the CIO, which he said didn't work because at DHS, "the CIO… is the only one held responsible for things and the only one with authority… So we changed that."
The chief technology officer, chief data officer and chief enterprise architect also moved into the CIO office, he said.
A challenge has been the size of the CIO office at CISA, said Costello.
"We're only about 103 to 104 federal employees, so we're spread pretty thin in my office. So we have to have very effective contracts. We've reawarded some new contracts in the last year-and-a-half and more [are] coming," he said.
On a day to day level, Costello said that CISA is pushing on modernization and consolidating a fragmented tech infrastructure. Obviously, another priority is the cybersecurity of the technology and systems in the government's primary cybersecurity agency.
This focus on cybersecurity is especially salient given the focus at CISA on getting voluntarily shared information, said Costello, noting that "private sector companies and public sector share with us and expect us to safeguard that information to the same level that they do."
"We have to do everything that CISA says, that we advise others to do," he said. "As we mature our internal processes, we have very tight working relationships with the insider threat program and other aspects of CISA to ensure that if we do have something that goes wrong, if we do have something that goes wrong or if data gets out that shouldn't, we know how to respond to it and we can identify it very quickly."