Chief information security officers answer 4 burning questions

Unto the breach—that’s the everyday reality for the government chief information security officer, arguably one of the most difficult yet important jobs in government IT.

When the CISO title first started appearing on agency organization charts about seven years ago, the job was largely a paper-pushing exercise, focused on gathering data on the security of agency systems and rolling it into an annual report to Congress, as required by the Federal Information Security Management Act.

Today the CISO’s job description covers an expanded — and still expanding — universe of duties, all of which come down to monitoring constantly evolving security dangers and plugging the gaps in an agency’s defenses before it’s too late. The job requires an almost encyclopedic knowledge of external threats and internal exposures, a thorough grounding in the agency’s technology infrastructure and the ability to frame security issues in terms of the agency’s core missions.

The CISO’s responsibilities — and worries — continue to grow as the more tightly controlled IT systems of the past have given way to a diffuse mix of ubiquitous Internet access, barrier-busting social Web applications, and inexpensive but extremely powerful smart phones and other portable computing devices.

CISOs now take the lead on an often long list of tasks, even though their time-consuming compliance duties remain undiminished. CISOs set, monitor and enforce agency security and data privacy policies. They oversee the planning and day-to-day operation of security systems and deal with the fallout if those resources fail. They also vet a stream of new technologies, from Facebook to BlackBerrys, for possible security liabilities and help agency leaders decide whether that next, great new thing can be used safely.

Meanwhile, the bad guys just keep at it. Early this year, the Conficker worm infected at least 3 million computers, and in July, a spate of cyberattacks — thought to have originated in North Korea — temporarily took down a number of government agency Web sites. Government servers are attacked daily, and the threats aren’t going away any time soon.

So what do CISOs need to do to make sure that security gets its due? What problems do they see coming, and how do they plan to address them with limited resources?

To discuss these and other important issues, contributing editor John Moore set up a virtual round table with five current and one former government CISOs. All participants received each question by e-mail and were invited to respond to one another’s answers.

The panelists are:

C. Ryan Brewer, chief information security officer, Centers for Medicare and Medicaid Services.

Patricia Titus, chief information security officer, Unisys Federal Systems, and former CISO at the Transportation Security Administration.

Patrick Howard, chief information security officer, Nuclear Regulatory Commission.

Marian Cody, chief information security officer, Housing and Urban Development Department.

Phillip Loranger, chief information security officer and acting director for information assurance, Education Department.

Robert Maley, Chief information security officer, Commonwealth of Pennsylvania

Here are excerpts from their discussion.

Brewer: As the senior leader for information security at my organization, I view my primary responsibility as applying resources — technology, people and process — to reduce risk to our systems and sensitive information. I view authority and influence as intangibles that are built over time. All too often, there is an unnecessary conflict between the business and information security. I believe the origins of this to be that information security leaders at times do a poor job at helping the business understand the principle of risk.

Titus: The issue with IT security professionals is that they talk in their own language. They must be able to speak to business leaders in a language that those leaders can understand. They must be able to connect the needs of the security program to the bottom line or mission of the organization.

Brewer: In the end, it is ultimately the business leader’s decision on whether or not to accept a risk. The information security leader’s job is to properly articulate the risk to the business leader and to assist the business leader in making the best risk-based decision. Once the business leaders begin to notice that the security leader is there to support the business and not to inhibit it, the security leader’s authority and influence will begin to grow over time.

Howard: Here at the NRC, the CISO has adequate authority, resources and influence to address most of my cybersecurity needs. However, “addressing the needs” should be carefully considered, because the highest-priority risks are not always addressed according to sound risk management principles, and remediation is not always as complete or correct as necessary. These are ongoing issues that the CISO must continually monitor.

Cody: HUD has a strong record on cybersecurity. The chief information security officer has had direct access to the department’s senior-most leaders and has long served as the principal adviser on cybersecurity matters. Budgetary authority has sometimes been constrained. However, the limitations were generally related to the funding allocated for all IT activity rather than directed at cybersecurity specifically.

Loranger: You have to take a look at how the CISO is positioned within the organization with respect to the chain of command to judge whether or not they have the proper authority and influence. Do they have the authority to assess compliance and propose remediation actions, etc.? Is the CISO empowered to propose and establish performance metrics? If not, he/she is not empowered.

FCW: What technology development do you find most perplexing from a security point of view: cloud computing, social networking/Web 2.0, or something else?

Titus: Social networking by far. Recently, I read an article about how the U.S. military was allowing soldiers to use social-networking tools and then prohibited them before they decided to allow them again. This on-again, off-again [approach] highlights the risk versus rewards of social networking. This free and open communication tool is part of the problem. Unsecured and unfiltered communication can potentially expose national security information by, for example, divulging troop movements when a young soldier communicates with his spouse. Training those that use social-networking tools could help lower the exposure. However, the rapid adoption and demand for real-time communication tools that have higher sophistication is putting the trainers behind the curve.

Maley: Web 2.0 is perhaps the most perplexing development. These are technologies that are looked at by our next generation of leaders as integral components of business and life. Yet the risks around using them improperly are significant.

Loranger: Achieving a balance between ensuring that adequate security is in place without hampering the functionality of social networking venues is difficult. This will continue to be a tremendous security challenge, as employees will use social-networking sites such as Facebook or instant messaging, whether sanctioned or not. With each generation of the Web and information sharing in general, we will continuously face security challenges and exposures that we may not be prepared to address as expeditiously as we will need to.

Cody: I believe that cloud computing probably poses the most challenges. The basis for cloud computing is the establishment of a trust relationship with the service provider. I think that mental hurdle is a large one for a federal community that is accustomed to being its own service provider. If you think about the businesses HUD is in — mortgage banking and insurance — would your local bank outsource its information technology? What evidence would the service provider have to provide to assure the department that its information was secure, that its data could not be leaked, that the privacy information related to HUD’s stakeholders, business partners and constituents was not subject to inadvertent leakage or modification?

Security challenges abound, including determining encryption requirements, who would be responsible for encryption key management, where encryption would apply — to data at rest as well as in transit — how would user authentication be handled, who is liable in the event of a data breach, how to protect against threats such as man-in-the-middle attacks and Trojans.

Brewer: To me, the most perplexing aspect of new technology development is the lack of information and questions that individuals and organizations sometimes ask before they are ready to sign up and send their personal and organizational sensitive information into the great abyss. I believe this goes back to the security professional's responsibility to articulate to our business leaders the risk involved so they can make a well-informed decision. Cloud computing and social networking/Web 2.0 have a lot of potential, and I believe there are appropriate solutions that will allow them to be implemented securely in the federal space.

However, just as with any new business capability, the business leader will have to understand the appropriate solution may require additional funding and resources.

Howard: Each of these [new] technologies present issues that the CISO must address to ensure that the security of IT resources is not compromised by their implementation. Part of the problem is the response of government executives to get on the bandwagon for the latest new thing and push for implementation without adequate consideration of the security implications. New technology should always be regarded using sound IT governance structures and an enterprise architecture that addresses business needs for security.

FCW: How do you bolster security at a time when budgets are tight?

Cody: HUD has embraced the federal risk management framework to guide security decisions. We have identified an inventory of IT systems and understand which systems are critical to HUD’s mission. We prioritize security decisions based on this knowledge. HUD also relies on architectural decisions to consolidate like IT systems and standardize on a limited product suite. This result is a reduction in the number of potentially vulnerable platforms.

Titus: Bolstering your security during tough economic times means being able to look at the mission of your organization and addressing the risks based on the needs of the mission. You’ll never have enough funding to do all that you would like to do, so building a prioritized security strategy is important. Avoiding a knee-jerk reaction is another key factor. I’ve seen all too often that IT security professionals rush to eliminate a security vulnerability by throwing technology at the problem only to discover they have actually created a larger vulnerability by not thinking through the solution and making certain it aligns with their strategy.

Brewer: We are trying to do more with less by pushing the old adage of doing the simple things well. It is not the sexiest topic in information security, but you have to really know exactly what you have on your networks, in as close to real time as possible, before you can succeed at protecting it. We are focusing on that aspect first before we are pursuing potentially more expensive initiatives.

Loranger: As it relates to limited budgets, CISOs certainly have to be creative these days. One of the best ways is through the arrangement of private/public partnerships. You can collaborate with universities and share data about the current threat landscape with their common user pool environments to get valuable feedback.

FCW: Based on changing threats and emerging technologies, how do you see your agency's IT security policies and technical approaches changing during the next 12 to 18 months?

Titus: As we move toward cloud-based services, I believe we’ll need to adopt new policies and find ways to be more flexible. I think the advent of cloud and pushing some of the control to the cloud will require a new level of thinking to ensure the CISO can verify that security requirements are being met or exceeded. I also think it will mean new standards and guidelines may be necessary to ensure compliance. Continuous monitoring will be crucial.

Brewer: While we cannot predict the future of the threat landscape, we do know the push to share our vast amounts of health care data will drive our IT security policies. We are currently looking across our information security capabilities to include policies and technical approaches and working on a strategic plan that will outline what needs to change to support increased data-sharing capabilities.

Cody: On the policy front, we are aligning HUD’s internal security policy with the latest version of the National Institute of Standards and Technology Special Publication 800-53, "Recommended Security Controls for Federal Information Systems." These standards have provided the road map for maturing our information security program.

Technical approaches during the next 12-18 months will include expansion of HUD’s automated security management tool suite to more easily capture data related to how well security controls are implemented and working. We are maturing our vulnerability management program and strategically implementing additional tools to provide more visibility into the network operational environment. We also plan to tap into our reservoir of business intelligence tools in order to provide HUD’s senior management with a security dashboard.

Howard: The current emphasis on working from anywhere at any time will lead to the growth of remote access to agency IT systems. Current IT security policies and technical solutions must be tuned to support that growing business need.

The nature of the threat requires NRC to develop and implement additional policies and procedures and a comprehensive set of tools that permits detection and/or prevention of both external attacks and compromise — loss or exfiltration of sensitive data by internal, trusted users, whether intentional or inadvertent.