Robust cybersecurity depends just as much on management as it does on the actual technology, according to a handful of federal chief information officers relatively new to the job.
"There are enough resources to do great security if that's what we prioritize it, but we don't always prioritize it," Jonathan Alboum, CIO at the Agriculture Department, told an audience in Washington last week.
Still, Alboum said USDA had been able to "pivot employees" during the recent "cyber sprint," an Office of Management and Budget-led effort to shore up cybersecurity practices following the Office of Personnel Management hack. During the sprint, Alboum said, "what was most important was having the secretary think it was important," adding, "we re-prioritize people's time."
He added later, "we want to use that same approach as we look at patching systems or implementing other security protocols or improving overall security . . . I want to get out of the mode of being surprised by [cyberthreats]."
Current reporting methods focus too much on the "lagging indicators" of cyberthreats, according to Robert Foster, CIO at the Department of the Navy.
"The adversary is a lot faster in their decision cycles, and as they start moving laterally, they're not really looking at FISMA reports," he said, referring to annual mandated security reviews under the 2002 Federal Information Security Management Act.
Rafael Diaz, CIO at the Department of Housing and Urban Development, said it was up to chief information security officers and CIOs to articulate the importance of cybersecurity to other federal decision-makers.
"Our auditors are not helping us get that message across," he said, calling it a "process and people problem."
Michael Brown, CIO of Immigration and Customs Enforcement, argued "IT should get equal standing with any other risk and cost decision in an organization . . . as long as we can bring the IT risk reward equation to the budget table, and the strategy table, then I think we're doing the right thing."