Overseeing information security at federal agencies can seem like a losing battle, considering the growing number of reported security incidents and sophisticated attacks targeting federal networks.
Just one policy violation, one click on a malicious link one successful insider threat can wreak havoc on an agency and its chief information security officer.
But being a CISO isn’t all doom and gloom, especially for those who exude responsiveness, reliability, assurance, professionalism and empathy, said Peter Gouldmann, director of information risk programs for the State Department’s Office of Information Assurance.
“I don’t know of any [other] measure of success for a CISO,” Gouldmann told security professionals at CyberSecureGov 2014 in Arlington, Va. “If you’re providing that, then you’re a success.
“If you could tell me, ‘My CISO is great and wonderful because we haven’t had any exploitations occur,’ well, that’s going to be short-lived because this is a losing battle,” he said.
Making Security Simple
Gouldmann compared security work to baseball, noting that CISOs have to be comfortable batting under .300 because it’s hard to succeed in that role. But they can make the most of a challenging situation by serving as liaisons between the technical world and agency leaders. Good CISOs can translate complex information into a digestible 30-second elevator pitch to their leaders and provider further details, when needed, to assure everyone that they can securely carry out their mission.
Some CISOs fail in translating technical information to senior management because they use too many acronyms, said Erik Avakian, CISO for the commonwealth of Pennsylvania. CISOs tend to be promoted from networking or IT jobs within an organization, and while they understand the protocols, they have never been taught how to communicate effectively.
The successful ones eventually develop that skill set, but it takes time, Avakian said.
Aligning with Senior Leadership
Jill Vaughan, deputy chief information officer and deputy assistant administrator for the Transportation Security Administration's Office of Information Technology, said good cyberchiefs are a lot like other great leaders. “I think a good leader is a good leader is a good leader, and there are variations of that, but you could almost take any leader within our cyber team and throw them into another part of the business; they would do great,” Vaughan said.
“I think the ability for someone to understand what gets prioritized and understand how to manage their work units and the morale of the staff, [understand] the business acumen of how to hire a person, how to deal with the personnel issue, how to manage the finances, the risk [and] all the things that make up a great leader, those should be fairly interchangeable at some level,” she added.
Her advice to CISOs comes from a common saying her boss uses: “What interests my supervisor fascinates me. Whatever my leadership is fascinated in, that’s what I’m going to focus on.”
Your leader’s interests may not be yours, she said, “but if you clear the path on that, then you’re going to get to focus on the things that really matter to you.”