The new federal chief information security officer, once one is announced, should push for more collaboration between agencies and be the bridge for sharing best practices, according to a panel of federal cybersecurity officials.
Speaking at an ACT-IAC conference Monday, officials stressed the need for the CISO to be the person who drives change in agency cybersecurity culture across the entire federal government.
Rod Turk, CISO for the Commerce Department, said he wants the new federal CISO to act as an information broker so agencies can learn what is working across the government for mandated security programs, like Continuous Diagnostics and Monitoring.
“I am very hopeful that the new federal CISO comes to the table in a collaborative way,” Turk said. “What I am interested in, I want to know how you are making those tools hum. I want you to pull that little black book out of your back pocket and let me know all the little tricks you use to make CDM work.”
“I’m looking for those discussions about all of those common things that CISOs deal with, whether it be the cyber sprint, [the Federal Information Security Management Act], [the Cybersecurity National Action Plan],” Turk added. “I want to come together and pull the common threads throughout all of that to make all of us rise to a higher level.”
He is also hoping the new CISO moves the government away from a metrics-based culture, partly because it doesn’t lend itself to creating programs with cybersecurity thought of from the beginning.
“If we continue to use a metrics-based culture, it’s not going to encompass all of the areas that we need to encompass,” he said.
[Read more: No cybersecurity without collaboration]
Mark Kneidinger, the director of federal network resilience for the Department of Homeland Security, said he hopes the new CISO informs new agency leadership how to keep momentum going with cybersecurity, serving as the linchpin between administrations.
“We are able to do more because of our deputy secretary’s involvement,” Kneidinger said. “Who comes after that? What happens to the cybersecurity message? I see the federal CISO as the person who is carrying that message and working with the new politicos.”
An announcement on who will fill the federal CISO role is expected in coming weeks. The position was announced as part of the Obama administration’s Cybersecurity National Action Plan, introduced in February as part of the president’s proposed budget plan for fiscal year 2017 in. That directive, along with last year’s Cybersecurity Strategy and Implementation Plan, have helped agencies make significant progress in their cybersecurity posture, officials said.
“When you look at the CNAP, which strikes me as a top-down mandate, it is near-term actions for a long-term strategy. It’s very comprehensive,” said Joseph Klimavicz, the Justice Department’s CIO.
“I like to say it’s a marathon, but you are sprinting every day. That’s what it feels like. This not going to be over anytime soon.”
Turk further said he hopes the person also bridges the gap from security professionals to the executive suite, where they can communicate on why cybersecurity is important for an organization as a whole.
“As we develop the CISO, they are going to need to be able to take these technologies and put shoe leather on them, to be able to walk around the room and demonstrate to an executive suite that this is why ’X’ has to happen,” Turk said.
“Hopefully, it will get to a point where it’s self-evident that we need to do the things that we are talking about.”