freshidea - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Why a federal CISO is necessary for the U.S. government

President Obama's proposed 2017 budget includes a much bigger focus on cybersecurity and calls for the creation of a federal CISO position. Expert Mike Villegas discusses the role.

On February 9, 2016, President Obama released the Cybersecurity National Action Plan that "puts in place a long-term strategy to enhance cybersecurity awareness and protections, protect privacy, maintain public safety as well as economic and national security, and empower Americans to take better control of their digital security." He also ordered the establishment of a federal Chief Information Security Office to be named in May 2016 who reports to the U.S. Chief Information Officer.

The federal CISO's main function is to manage all other government agency CISOs and security programs. But is this position necessary? And if so, will the federal CISO be positioned to fulfill her intended goals?

Does the U.S. need a federal CISO?

There have been many instances of cybersecurity issues in the U.S. government. In July 2015, the Obama administration disclosed that federal systems were hacked, and the attacks that originated in China affected 21.5 million people and resulted in exfiltration of personal information, including Social Security numbers and some fingerprints. The Office of Personnel Management (OPM) stated that this breach probably affected every person who has a background check in the past 15 years. In June 2015, a similar breach occurred in OPM systems that compromised sensitive data of 4.2 million federal employees.

The Hillary Clinton email scandal is another example of a cybersecurity misstep in the government. During an interview with MSNBC, Richard Clarke, former National Coordinator for Security, Infrastructure Protection and Counter-terrorism for the U.S., commented on Hillary Clinton's private email server. He stated that "she clearly made a mistake" but he also included that current Secretary of Defense Ashton Carter, former Secretary of State Colin Powell and former Secretary of State Condoleezza Rice did the same. Clarke said he did not know whether Clinton's email server was hacked, but he did know that the State Department email server was hacked. "Had she been using the State Department email system, as some people think she should have, and in fact she should have, then the Chinese would have been reading [the Clinton emails]," Clarke said during the interview. "What that points out is how bad IT security is in the federal government [and] how bad IT is in general. It's very clunky and hard to use."

A federal CISO will not solve all the problems, but it could coordinate all agency cybersecurity programs and help the federal government avoid future embarrassment.

Is a federal CISO positioned for success?

Each federal agency has its own CISO and, in many respects, functions in its own silo. In March 2016, the National Security Telecommunications Advisory Committee (NSTAC) wrote a letter to President Obama which stated that the new federal CISO "has enormous potential to enhance our Nations' cybersecurity." In this letter, NSTAC stressed the importance of the federal CISO's positioning in governance and risk management "to enable cross-organizational coordination and collaboration."

The official job posting website for the U.S. government states the job duties will be to "ensure coordination and alignment among federal agency CISOs through the exercise of effective governance", including budget priorities and authority on policies, procedures and technologies impacting the federal government's cybersecurity program.

This charge may seem overwhelming and difficult to attain but if the federal CISO leads by example, delegates, ensures accountability and demands respect from the very beginning, the job duties can be accomplished. This will allow agency CISOs to work together and still empower them to do their respective jobs. Otherwise, this position will sadly be a mere optic.

Federal CISO job requirements

The federal CISO position is located in Washington, D.C. and, according to the job listing, pays a $123,175 to $185,100 annual salary, which is less than what a similar position commands in the private sector. The position requires a top secret/SCI clearance with no relocation expenses paid. No cybersecurity professional certification requirements were posted, although they are undoubtedly necessary. The mandatory professional/technical qualifications listed include "demonstrated experience in working with executives and managers on the identification of large enterprise business requirements; understanding cyber threat activities and methodologies; and establishing risk-based cyber security policies, strategies, and measures to address current and emerging cyber threats."

Those are the requirements according to the job listing. But what will be required of the federal CISO? Anyone working on federal government systems will admit they are antiquated, not user-friendly and high maintenance. The systems could still be secure but their ability to protect sensitive information is questionable given recent hacks into federal computer systems.

The government is very different from industry. The bureaucracy is a pedantic nightmare, but much like the Department of Homeland Security was established to oversee several existing agencies -- such as TSA, Secret Service, FEMA, U.S. Coast Guard and others -- having a federal CISO makes sense.

To be effective, the federal CISO position needs to manage federal governance, cross-agency budgets, policies, protection programs and architectures. The reporting structure -- in order to maintain collaboration, cooperation and continuity -- should give all agency CISOs a solid line or, at a minimum, a dotted line relationship to the federal CISO. This will ensure essential independence of any influence from IT or agency heads and legal authority to take punitive actions for policies, procedures and protections measures if not deployed or adhered to. Whether the federal CISO be empowered to accomplish this is still up for debate.

The full text of CNAP can be found here.

Next Steps

Find out how cybersecurity spending could protect the U.S. government

Learn how government agencies should prepare for federal security scanning

Discover how the NIST cybersecurity framework analysis works

This was last published in May 2016

Dig Deeper on Information security program management