Why senators need a CISO

In the age of mobile devices and cloud computing, people can be the biggest threat to an organization's security.

"The perimeter is the user, and we have a huge problem," said Linus Barloon at a Feb. 16 breakfast hosted by cybersecurity analytics firm RedSeal.

As IT security branch manager at the U.S. Senate Office of the Sergeant at Arms, Barloon is charged with protecting the networks of 100 senators in the nation's capital and at some 470 state locations. Each individual network typically has 50 or fewer users.

He said one of his biggest challenges is effectively explaining the "so what?" of cybersecurity to his customers. He lacks the authority to issue mandates to Senate employees and doesn't brief senators on cybersecurity issues, so he has to be creative and effective with his messaging.

"My challenge that I deal with on an everyday basis is how do I quantify this" for agency decision-makers, Barloon said. "[Chief information security officers], guys like myself, we have that responsibility to give them that information to make that decision and then track that over time so from a CIO perspective, she can track where...her security investment [is] going."

The Senate provides a demonstration of the risk assessments customers make. For instance, the websites of senators Rand Paul (R-Ky.) and Cory Booker (D-N.J.) use HTTPS, while others, including presidential candidate Marco Rubio (R-Fla.) and Senate Minority Leader Harry Reid (D-Nev.), are still on HTTP -- despite the HTTPS-only standard the Office of Management and Budget pushed last summer.

"You can kind of look at it like state police," Barloon said. "We're responsible for securing the roads, securing the alleys, securing the streets and securing all those types of functions, but our security to some degree stops at the doorstep of the member's office."

Individual senators' systems administrators make the calls inside those offices. Barloon's team offers to meet with the administrators monthly and supply security certificates, but the decisions are up to them.

Although he might not like some of those decisions, Barloon didn't blame users. "I don't know that we as cybersecurity professionals have educated the users...on the importance of why cybersecurity is a big deal," he said.

To help get that message across, Barloon has brought in cybersecurity pros from organizations such as the National Security Agency and Virginia Tech to offer their perspectives.

Nevertheless, he said CISOs often need to work with their customers' risk profiles. In those cases, resilient networks are essential.

"The president, the vice president, the first lady -- they all have their job to do," Barloon said. In a recent effort to secure the White House Communications Agency, "taking the network down for a patch wasn't necessarily going to be an option, so I had to come up with some resiliency."