Why the federal CISO could be cybersecurity game changer

Federal Chief Information Officer Tony Scott says the government's first chief information security officer will have the broadest support ever for the new role. 

From left: Federal CIO Tony Scott, Suzanne Spaulding of the Department of Homeland Security, and Stephen Ward, CISO of TIAA, appeared at the second annual Beat the Breach event in San Francisco on March 1.

Tony Avelar/The Christian Science Monitor

March 4, 2016

If you thought about applying to be the government's first ever chief information security officer, it's too late. The job posting closed this week, and White House appears to moving quickly to select its inaugural CISO.

Since President Obama announced the new position along with Cybersecurity National Action Plan last month, it's been greeted largely with cautious optimism among digital security practitioners.

CISO positions have become increasingly common at many big companies due to the immense financial and legal costs that come with data breaches. However, the question many experts have about the federal CISO position is whether it'll have the authority and support in government to actually make a difference. 

Influencers: Incoming federal CISO can improve US government’s cybersecurity

Tony Scott, the government's chief information officer, brushed away those concerns during a panel Passcode moderated on the sidelines of this week's RSA Conference in San Francisco.

"The first person in the role is going to have a great opportunity to show what can be done in the role with the right leadership and the right collaboration," Mr. Scott said. 

In fact, he said, the incoming CISO will likely enjoy the "broadest support for that role that’ll ever exist" due to the recognition across the government that it needs to vastly improve how it handles cybersecurity at the federal level.

Mr. Scott, who became the White House CIO last February, was among the cadre of government officials who traveled from Washington to the conference to deepen connections with the cybersecurity industry as well as to get buy-in from leaders in the field. 

"I would love to have a CISO in the government that I could call and that I could collaborate with," said Stephen Ward, the chief information security officer at TIAA, the financial services giant. 

Boston broke a record last year for fewest homicides. It’s on track to do it again.

The new CISO, Mr. Ward said, will face some daunting challenges as the massive federal government attempts to overhaul its digital security and data handling practices. "Anytime you are breaking ground like that you’re going to have your challenges," said Ward, who also spoke on Tuesday's panel. "We’ve all been through these big transformations. The first one is always the hardest."

But the position – at least in theory – appears to have the gained the backing of a wide swath of technology experts. In a recent Passcode Influencer's poll, 77 percent of respondents said the new CISO would be able to improve federal cybersecurity, even though many worried about bureaucratic and cultural obstacles to his or her success. 

"While it is unclear how much authority, budget, support, and direct reports the new position will have, at this point a CISO advocate for the federal government is a good thing," said Jeff Moss, noted security researcher and founder of DEF CON Communications, in response to the poll. "That said, the position should be larger in scope."

In addition to the recent announcement of the CISO position, this year's RSA Conference came on the heels of a series of Obama initiatives to update government computers, implement more robust security practices, and encourage the sharing of threat intelligence between companies and government.

"We really need to embrace this sharing of cyberthreat indicators and cyberthreat information," said Suzanne Spaulding, under secretary for the National Protection and Programs Directorate at the Department of Homeland Security, who also participated in the Passcode panel. 

Ms. Spaulding stressed to the crowd of some 200 industry executives that they should embrace the idea of sharing intelligence about cyberthreats with the government – and among other companies – to lessen the blow that could be caused by a malicious hacker.

"If we can get that information out," she said, "that adversary might be able to get away with it once, but only once."