How to Succeed as a Federal CISO: A Question of Authority

The federal CISO position has been one of the most talked-about in the industry—what qualifications are needed, the salary, and what the job entails. Perhaps the most relevant question, however, is what actual authority the new federal CISO will have.

First, a little background. The federal CISO position is part of President Obama’s Cybersecurity National Action Plan (CNAP), which was announced in February. In it, President Obama sought $19 billion to address cybersecurity for the federal government in 2017, $5 billion more than this year.

The federal CISO will, according to the job posting, “serve as the federal government’s lead cybersecurity strategist,” and be “the recognized Federal expert and authority on policies, procedures, guidance and technologies impacting the Federal Government’s Cyber Security Program.”

That’s a mouthful of expectations, to be sure. However, I believe—and other experts agree—the future CISO will need the proper authority to successfully perform a “superhero’s” task. Otherwise, the job may look good on paper, but be a bust in real life.

Show Me the Money: Budgetary Authority

The new CISO will report to federal CIO Tony Scott, and will be working within the Office of Management and Budget (OMB). On the OMB organizational chart, the federal CISO will be, as Larry Seltzer of ZDNet put it, “four management levels down from the President.” However, Seltzer wrote, since the CISO role is “an appointed one with no statutory mandate,” its authority will likely be minimal.

Given budgetary authority, however, the CISO could execute some significant changes,

Randi Parker of CompTIA told Seltzer. “It’s here that the proposed $3.1 billion Information Technology Modernization Fund could make some difference,” Seltzer wrote. “The CISO would probably have no stick, but could have a big, fat, juicy carrot to entice Federal agencies to secure their infrastructures.”

Robert Shea, a principal at Grant Thorton Global Public Sector and former OMB associate director for administration and government performance, agreed. “Cash is important—it’s not to be underrated as a source of authority,” he said in a Federal Times article.

It’ll Take an Act of Congress: Legal Authority

The federal CISO will need more than access to the federal checkbook. Legal authority is critical, too. FedScoop quoted Mark Kneidinger, director of the Federal Network Resilience Division in DHS’ Office of Cybersecurity and Communications: “As the federal CISO does come into play, a key element to that person is to work at developing legal authorities, be it through Congress or otherwise, that’s going to give [the CISO]… the same seat at the table as the CIO at the agency level.”

Giving legal authority to the federal CISO can help raise the visibility of fellow CISOs at the agency level. However, the federal CISO also will have to use its authority to ensure individual agencies abide by new security policies and procedures.

“As in past attempts to inject cybersecurity into the federal government from the top down, this can only work if the CISO has the authority to impose change and sanction those people and agencies who fail to change,” said Nick Selby, CEO of law enforcement security company StreetCred Software, in a Christian Science Monitor Passcode article. “The ‘all-the-responsibility-but-none-of-the-authority’ model has been tried before, and failed quietly.”

Justin Harvey, chief security officer of Fidelis Cybersecurity, agreed. “Is the Federal CISO going to have enough control over resources, policy, strategy and operations to have an impact?” he said in a Dark Reading article. “This plan needs a single owner to be held accountable for cybersecurity while also holding each individual government agency’s feet to the proverbial fire for their compliance.”

CISO Authority in the Private Sector

With cyber attacks and data breaches on the rise, the issue of CISO authority both within and without the government is critical. According to a 2015 ThreatTrack Security survey, only 25 percent of respondents believe CISOs “deserve a seat at the table and should be part of an organization’s senior leadership team.” Yet 47 percent of the respondents said that CISOs should be accountable for their company’s data breaches.

“If CISOs don’t have visibility into operational plans and strategy, and aren’t included in decision-making processes, how can they be held responsible for a major security issue?” said John Lyons, president of ThreatTrack. “The need for information security is keenly appreciated, but CISOs are struggling for the recognition and authority they need to be effective in defending organizations from today’s increasingly sophisticated and frequent cyber threats.”

At least the perception of CISOs’ leadership ability appears to be improving. The ThreatTrack survey found that 62 percent of executives said their CISO would be successful in a leadership role outside IT security—a significant jump from 39 percent the previous year. Hopefully, the naming of a federal CISO will further boost the credibility and visibility of CISOs in the private sector. And hopefully the federal CISO will have the authority to do a very important, very complicated job in the public sector.