Federal CISO needs real power, says advisory group
The National Security Telecommunications Advisory Committee at DHS wants the new federal chief information security officer to drive policy and have real visibility across agencies.
A federal advisory committee led by senior executives in the technology and telecom industries warns that the planned integration of a federal chief information security officer has the potential to be "disruptive," and suggests a path to success.
In a March 10 letter to President Obama, the National Security Telecommunications Advisory Committee of the Department of Homeland Security seeks to ensure the federal CISO has the authority to set policy and to drive collaboration among security officials across agencies.
Industry experience suggests that "CISOs operate most successfully when they are empowered to work with stakeholders to develop incentives and establish penalties to foster implementation of policies and practices," according to the NSTAC letter. To that end, the group advises creating an "action-oriented cybersecurity council or leadership team that is convened by the CISO." That group could be a federal community of practice along the lines of the CIO Council.
In an attached policy memo, NSTAC advises a kind of inventory of government-wide IT and data assets. The CISO must have visibility into the highest-value assets in each agency or "enterprise vertical" in the parlance of the memo. The CISO should also look to prevent cyber breaches and other security incidents through the mandatory deployment of an "integrated intelligent platform" that leverages analytics to detect potential attacks, and operates on a segmented, zero-trust basis to limit risk surface of a high-value asset.
NSTAC also wants to name and shame laggards, through regular review of departments of agencies. Additionally, the group recommends that government find ways to incentivize agencies to use shared services and common platforms for cybersecurity, and to encourage the use of private sector manage security solutions, "to reduce the necessity for departments/agencies to construct their own capabilities."