The new federal IT security chief needs clearly defined job responsibilities and “top-down” support to be effective.
The Obama administration’s move to hire the first-ever federal chief information security officer in the wake of wide-scale hacking of government computer systems is a positive step, according to a group of industry executives that advises the president.
But adding the new role could be “disruptive,” the execs warn and the CISO needs clearly defined job responsibilities and “top-down support” to be effective.
That’s one of the recommendations from the National Security Telecommunications Advisory Committee, a group of 30 industry executives who advise President Barack Obama on technology and national security.
The group presented the recommendations in a March 10 letter to Obama.
Earlier this year, the committee was tasked with weighing in on the administration’s Cybersecurity National Action Plan, released last month in connection with the president’s fiscal 2017 budget request. Along with hiring a CISO, the plan also called for upping annual spending on information security by more than 35 percent and establishing a federal commission on cybersecurity.
CISO Needs Top-Down Support
The committee recommended the CISO have the authority to assess risks across agencies, establish baseline security requirements and measure compliance.
In addition, the committee recommended the CISO play a key role in setting and approving IT security-spending priorities.
“In industry’s experience, CISOs must have the authority to approve or escalate inquiries about the development of appropriate technologies and processes being considered for deployment,” the letter stated.
Still, the committee cautioned, carving out a new IT security chief can be “disruptive,” especially if the new position’s authority overlaps with or overshadows the work of existing officials, such as agency CISOs.
“Clearly designating a CISO’s responsibilities is key, and empowering a new CISO with top-down support and engagement is essential to minimize disruption,” the letter stated. “In industry’s experience, a one-off announcement is not sufficient; companies that have successfully integrated CISOs as empowered enterprise risk managers have done so over a period of time.”
Administration officials say they hope to hire and onboard the new CISO by May. The IT security chief will work out of the Office of Management and Budget under U.S. Chief Information Officer Tony Scott.
More ‘Red Team’ Penetration Testing
The committee also recommended the federal government identify and tighten security on high-value assets -- computer systems essential to national security or that contain personally identifiable information. As part of the 30-day “cybersecurity sprint” initiated last summer in the wake of the Office of Personnel Management breach, agencies were already directed to identify potential hacker targets.
The industry group suggested simply implementing basic cybersecurity hygiene would go a long way in plugging some of agencies’ vulnerabilities.
In addition, the group recommended the feds beef up their cyber intrusion and detection capabilities, including deploying “red teams” to try hacking into government networks.
“Industry has moved toward the use of ‘hunt’ teams to detect adversaries that have already established a foothold in their organizations’ systems,” the report stated. “The use of such teams is consistent with the assume-breach mentality and takes important steps toward learning more about adversaries, reducing the immediate and future impacts of an incident, and preventing incidents.”
In the 2017 budget, the Department of Homeland Security proposed increasing the number of federal civilian cyber defense teams, which proactively search for intruders on government networks, from 10 to 48.