U.S. Chief Information Officer Tony Scott says the Obama administration is currently vetting a handful of candidates for the long-awaited chief information security officer position and will likely make an official hire in the next 30 days.
Speaking at an event today on the cybersecurity workforce sponsored by the Christian Science Monitor’s Passcode publication, Scott said the administration is considering candidates with previous government experience as well as Washington outsiders.
“We have a great pool to draw from,” Scott said. “As you can imagine, this is a pretty important role -- one that we take seriously. And we had a pretty impressive group of folks apply for it.”
President Barack Obama announced the creation of the CISO role as part of a raft of cybersecurity initiatives included in his 2017 budget proposal.
Once the hire is officially made, what advice would Scott -- himself a relative newcomer to government -- offer the new CISO?
“I think the first job of the CISO is going to be get around and meet all of the people in the federal government who contribute to the success of that role in a bunch of different ways,” Scott said, citing the Homeland Security Department, the National Security Council and the cluster of agency-level CISOs scattered across government.
"I think one of the most important things this role can do is pull together all of the people in the federal government and make sure we have a well-thought through and then executed strategy in terms of how all of those entities work together,” Scott said. “That's probably one of the most important parts of the job.”
While many experts had long called for the creation of a federal CISO role, the actual job announcement was not without some criticism.
In an online column, Forbes contributor Steven Martin called the proposed salary for the position -- between $123,000 and $185,000, per the job announcement -- “paltry.” He cited figures from an IT staffing company that showed the average annual salary for a CISO in Washington, D.C., is actually $225,000 and that some CISOs make as much as $380,000.
Scott said there are often other factors at play besides a paycheck.
"This is an important role, and I think the right person's going to come into this and pay is not going to be the most important factor,” Scott said. "It's, 'What can I do? What can I contribute? And how can I make the cybersecurity for the federal government better when I'm done with this job versus the day I walked in?’ If you come in with that attitude, I think, you'll do fine."
Scott, himself, left a corporate CIO gig at West Coast-based VMware to become the Obama administration’s IT chief in February 2015.
“There are days when I feel like I should be paying to do the job and then there are other days where I feel like you couldn't be paid enough to do the job," he said.
Gripes over CISO pay mirror broader concerns about the federal government’s efforts to attract top tech talent at all levels.
The administration has made growing the size of the federal cybersecurity workforce a top priority of its information security agenda.
The administration directed agencies to identify their biggest skills and talent gaps when it comes to cybersecurity and plans to release the first governmentwide cybersecurity HR strategy this month.
Other areas the administration is targeting include modernizing the processes used to conduct background checks for prospective employees seeking security clearances.
“It’s time to redesign them in some fundamental ways,” Scott said, adding they haven’t changed much in the past 20 years. “We can't give up on doing good background checks. That's one of the fundamental tools at our disposal. We just have to get better at it. And then, we also have to get faster."
He also said agencies need to get smarter about the way agencies write job descriptions to appeal to the right kind of applicant and to speed up the hiring process.
“Speed, in a digital world, is everything,” he said.
The sluggish pace of federal hiring is a problem, agreed Rodney Peterson, the director of the National Initiative for Cybersecurity Education.
“It's a little bit of an oxymoron to use the word 'speed' and the federal government in the same sentence, because that's just not the way it currently operates," he said.
But that’s far from the government’s only challenge.
"Our current data shows that people are going out the backdoor as quickly as we're bringing them in the front door, and that suggests a real culture problem in the government,” Peterson said.