President Obama is expected to appoint the U.S. government’s first-ever federal CISO soon. It’s a long overdue, but welcome, move that means we’ll finally see Washington take real action on cybersecurity. But, in a lot of respects, it feels like too little, too late.
Over the last several years, we’ve seen cyberattacks and digital threats explode in volume and impact. Hackers used to be basement-dwelling nuisances; now, they’re globally-organized, sometimes state-sponsored, perpetrators who carry out attacks against government agencies, schools, hospitals, health insurance providers, banks, app developers, professional networking platforms, retailers, movie studios, and more with alarming and regular frequency. These attacks are becoming more costly and sophisticated by the minute – whaling email attacks against CEOs alone have already racked up more than $3 billion.
So, what can a federal CISO possibly do about all this?
The first 100 days
As Tony Scott, CIO for the U.S. government, puts it, the new CISO’s primary role will be to meet with agency-level CISOs of organizations like the Department of Homeland Security and the National Security Council and “pull together all of the people in the federal government and make sure we have a well-thought through and then executed strategy in terms of how all of those entities work together.”
That’s basically all a federal CISO could do in those first few weeks and months. This isn’t like a president’s first 100 days in office, where they have momentum to push their biggest priorities into law and get as much policymaking done as they can right off the bat. The federal CISO’s first 100 days are going to be a slower affair, building bridges and corralling a lot of different agendas and levels of expertise across the government. To be effective at their job, the CISO needs time to establish a network of stakeholders and build a reputation as a thought leader.
That means less obvious action upfront and more behind-the-scenes work in getting the government’s federal IT program together.
Inspiring the private sector to close the skills gap
But a federal CISO can have a more immediate impact in one area, and that’s in the private sector.
Establishing a federal CISO creates a single point of responsibility and accountability in the country – a “the buck stops here” type of position. It gives both public and private sector organizations someone to look to for inspiration and best practices — someone who knows what they’re talking about and can be looked at as an authority.
Beyond just addressing Congress and making recommendations for how the government can improve cybersecurity, the federal CISO can promote new practices and solutions for the private sector to emulate.
One of the biggest problems with the security industry today is how investments are made. It’s not that the market is underinvested – just the opposite, in fact. There’s a lot of money going into the cybersecurity market, but it’s going into the wrong places. These investments are predominantly aimed at creating the “next big thing,” that shiny new product that will solve all your problems.
Those are distractions, and they ignore the underlying issue: the human element.
Too many private organizations aren’t investing in cybersecurity training – whether it’s company seminars or university courses, there just aren’t enough opportunities for past, present, and future IT professionals to learn everything they need to learn about security. Rather than focusing on whatever new shiny security product comes along, the private sector needs to direct its attention and money toward the fundamentals: closing the skills gap, hiring the right people, and making sure the people who are actually using that shiny thing know what they’re doing.
The 2016 PWC Security Survey revealed the extent of this problem: Nearly 50 percent of companies don’t have their own CISO. And, as long as they don’t have that position, they don’t have someone overseeing that they’re making the right decisions on cybersecurity: that they’re buying the right solutions, that they’re hiring the right people, and that they know who those right people even are in order to close the skills gap as much as possible.
That’s where the federal CISO can help.
If these same organizations see the government appointing its own CISO and taking steps toward jumpstarting cybersecurity education, then they may start to do the same. They’ll have a role model to follow, and they’ll have practices and recommendations put out there by the federal CISO that they can copy.
We usually think of federal IT as being behind the curve. So how behind the curve are you if the government is appointing a CISO and investing in training and education and you aren’t?
Baby steps in the right direction
Just appointing a federal CISO cannot be the be-all, end-all goal. It’s only the first step in a longer process, across both sectors, toward building up a meaningful nationwide cybersecurity effort.
We shouldn’t celebrate this move on its own or rest on our laurels thinking, well, now the work is done. A federal CISO is just the wake-up call. That person can certainly inspire a new generation of Americans to join the front lines of the cybersecurity battle. But it’s going to be down to the private sector to take the next steps: appointing CISOs of their own and making targeted investments in cybersecurity training and education to close the skills gap and ensure our industry is fielding the best, most knowledgeable people possible to tackle today’s evolving threats.
Let’s get to work!
Peter Bauer is CEO of email security company Mimecast.