Security guide

A sharp increase in cyberthreats may have raised Mary Stone Holland’s profile within the State Department in recent years, but it hasn’t changed her approach.“You have to take advantage of the experts you have around you, especially in the technical fields we work in: Let them bring the answers to the table, and apply the solutions to the government environment,” said Holland, who is director of computer security for State’s Bureau of Diplomatic Security.Holland is a 25-year State veteran, who worked early in her career in the former Bureau of Inter-American Affairs, where she was involved in the deployment of equipment throughout Latin America. She made the transition from operations to security 15 years ago.During Stone’s tenure in the bureau, cybersecurity has become a top department concern.“For many years the department’s cybersecurity team worked in relative obscurity,” Holland said. “However, in recent years, with the increasing danger of the threat and the importance of technology to the department, cybersecurity personnel have been thrust into a leadership position.”Now, Holland is responsible for a worldwide IT security program. She leads a staff of 135 employees, including engineers, special agents, and computer and cybersecurity specialists working around the world.Donald Reid, director of security infrastructure for the bureau, said Holland “is credited with re-engineering the department’s IT security program into a comprehensive defense-in-depth program, reflecting best practices and adhering to national mandates and guidance.”As part of the security program, Holland led a global department project to carry out evaluation and verification of the IT security at the department’s posts worldwide.Because State has 260 working locations, Holland crafted a verification protocol that limited the need for on-site inspections. Her team gathered information from previous site visit reports issued by the CIO and the Inspector General’s Office, technical security assessments and similar indicators of cybersecurity status.The next step of the verification process was to obtain quarterly system scans from the posts using the security configuration tool the bureau had developed, known as the Baseline Toolkit. Information from the scans helped Holland’s team decide which posts most needed on-site visits.That step led to targeted verification trips by the bureau’s regional computer security officers.Success in the cybersecurity realm flows from gaining the attention and support of other government leaders, Holland said.“It’s about the message. You have to get the critical information to the senior and middle managers so they understand the importance of their role in cybersecurity,” Holland said.“In recent years, they have become extremely more receptive because they understand how vital cybersecurity is to operations, to assure continuity.”Holland has assembled a Computer Incident Response Team that responds to intrusions and assesses information from the department’s continually operating network monitoring center. The team works with a Cyber Threat Analysis Cell that exchanges information with the wider federal cybsecurity community, including the FBI, the U.S. Computer Emergency Response Team, the Defense Department and the National Security Agency.“The working level, where cybersecurity analysts share information daily, can be the most important work,” Holland said. “It’s critical to foster this kind of communication. In recent months we have been redirecting resources in personnel and looking for additional automated tools that will help analyze trends in the network.”Reid cited the effectiveness of Holland’s IT leadership, saying she “taps into the expansive talent she has, directs it to meet critical needs of the CIO, insures that her process is seamless to existing department processes and does all this in an efficient, effective, cost-saving manner.”Holland herself attributes some of her leadership success to the influence of mentors such as Ambassador Francis X. Taylor, former assistant secretary of the Bureau of Diplomatic Security and director of the Office of Foreign Missions.“One thing he clearly taught many of us is that the information we have is only valuable when you give it to the right people. Technical security information has true value when you get it to the right people.”Holland also makes a point of balancing work and family life, and has taken leadership lessons from her volunteer work in her son’s school. “Nothing could be more challenging than implementing a grade-school haunted house,” she said, laughing. “In terms of your leadership role, your private life is a demonstration to those around you in terms of leading by example.”