Earl Crane, former director for federal cybersecurity at the National Security Council and founder of Emergent Network Defense, co-authored this piece.
In briefings late January, President Trump promised that he would hold agency heads accountable for failures in cybersecurity. He plans to issue an executive order to do that early this month. While on its surface, the idea that executives in both the public and private sector need to be held accountable for cybersecurity, there is just one problem with the approach. It’s already required by law.
The Federal Information Security Modernization Act (FISMA) puts responsibility squarely on the shoulders of agency heads. In July 2015, President Obama showed what that means when Office of Personnel Management Director Katherine Archuleta was forced to step down from her post.
Archuleta likely won’t be the last agency head fired for a breach, but this approach has its limits.
In the private sector, we have seen the recurring phenomenon of Chief Information Security Officers (CISO) hired--then blamed and fired after a breach. The average tenure for a CISO is eighteen months--while the average tenure for a Chief Information Officer (CIO) is five years. The days of blaming and firing the CISO are short-lived; it will not make government information systems any more secure than it has private sector information systems, but security responsibilities continue to move up into the executive ranks.
More than just saying “you’re fired”--agency heads need the teams, the tools, and the training to be able to protect their systems. They also need bureaucratic barriers removed so they can quickly upgrade systems and defenses, avoid the multi-year protests that plague federal acquisitions, and congressional reporting relief so they can focus immediately on building defensible networks.
Beyond these measures, both the President, Congress, and the public need to come to grips with the reality that breaches will continue to occur. A zero-tolerance policy toward data losses would eliminate the value and efficiency we gain from digital systems. Instead, the federal government needs to adopt a risk management approach where agencies understand the threats targeting their data, the vulnerabilities in their information technology systems, and the consequences of data loss, manipulation or destruction.
In the private sector, we are seeing a maturation toward digital risk management. Digital risk officers are being hired to help their businesses take account of digital risk and understand the impact of taking on more risk than their organizations can manage.
Digital risk management requires a paradigm shift. Managing digital risk is no longer the sole burden of the CISO. The cybersecurity community has made great strides in communicating the importance of cybersecurity as a function, resulting in broader participation of business units and leadership, heightened expectations of oversight and governance, and increasingly larger budgets for dedicated to cybersecurity products and services.
Recent guidance from the Office of Management and Budget calls out for an increased focus on enterprise risk management, and explicitly calls out defining a “risk appetite” and “risk tolerance levels” in federal agencies as part of their budget justification. In addition, the Federal Financial Institutions Examination Council’s cyber assessment tool explicitly calls out the need for a board-approved “cyber risk appetite” for financial institutions. Both highlight leading practices for digital risk management. Risk appetite is becoming another tool for leadership to maintain effective governance and oversight of their organization — be they government or industry.
With a clear consensus from the leadership of an organization, management can shift from a compliance-based security status quo to smarter, risk-based management. This shift can empower federal agency leadership to manage their digital risk security profile, aligned with the newly defined appetite. This approach may even mean pushing back on compliance and regulatory burdens when they do not make sense or are not effective from a risk-based approach.
Even with new investment and strengthened leadership, cybersecurity incidents will continue in the federal government. If digital risks are properly understood and managed, today’s epidemic of catastrophic data losses should become a thing of the past.