White House Cyber Chief to Agency Leaders: Know Your Networks' Risks
CIOs and CISOs need to be involved in executive decision-making, White House Cyber Coordinator Rob Joyce said.
The buck stops with agency leaders when cybersecurity breaches occur, White House Cyber Coordinator Rob Joyce reiterated Wednesday.
Chief information officers and chief information security officers across government are critically important but often removed from executive-level decision-making. That’s a stark contrast from their peers in the private sector, who tend to work and report directly to corporate leaders, Joyce said.
“We operate these [federal] networks on behalf of the American people,” he said at the GovProtect17 cybersecurity forum in Washington. “Tech stuff is too often the job of the CIO or CISO, but it really is a leadership decision.”
» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.
Agency heads need to know when CIOs and CISOs have signed off on various risks, such as running outdated software.
“Does leadership know they’ve accepted that risk? The buck stops with them. Department and agency heads have to be accountable in this space,” Joyce said.
Joyce offered advice to agencies in the early days of carrying out President Donald Trump’s cyber executive order, suggesting agencies first “consider all components of the network” in question. That includes aging legacy systems, mobile devices, sensors and other web-connected devices. Anything that connects to a network, Joyce said, ought to be known.
“You can’t defend what you don’t know,” Joyce said. “To understand risk, you have to understand what the components of your network are.”
This isn’t as easy as it seems.
Speaking before Joyce, Ray Latteer, chief of the U.S. Marine Corps cyber division, was surprised to learn much of the Marines’ systems aren’t visible to IT leaders.
“We don’t even know what we’ve got, we’ve got people who don’t know what is on the network,” Latteer said. “We can see maybe 70 percent of the environment we’re going into.”
Policy initiatives like the cyber executive order are spurring progress, but Latteer noted he’d like to see faster, more proactive action.
“We are too reactive,” Latteer said. “We’re moving in the right direction but in my opinion, a little too slow.”