If you have previously served in government, most of the job titles you encounter will be somewhat familiar. There will be one exception. In recent years, another position has been added to the government C-Suite -- the Chief Information Security Officer (CISO). The responsibilities of the CISO include:
As you know, cybersecurity has been receiving much attention over the last several years. Congress is now working on the Cybersecurity Act of 2012.
You are likely to somewhat intimidated by the technical nature of this position, but there are key questions you should be asking to reassure yourself that your agency is not vulnerable to security missteps which could severely harm the agency. You are probably familiar with the role of the Chief Information Officer (CIO). Today, the CIO and CISO work closely together. You are likely to encounter both of them at the briefings you will receive after your confirmation.
The CISO is a key part of your team and can keep you and your agency from being embarrassed by a front page story about a security lapse. Further, the CISO’s issues should be on your management agenda. Here are three questions you should ask during your initial meetings with the CISO.
For example, do your employees know that data loss is possible when they copy material onto a flash drive and walk out the door? Or do they errantly leave their computers on without logging out, making the agency vulnerable to having information stolen? Other common problems are leaving computers with secure data in their car and having it stolen. You can ask your CISO whether the agency has an effective training program to teach employees to minimize security dangers. In asking about the training program, find out whether the issues below will be discussed:
It is likely that technologists in your agency will want the latest, newest version of technology to ensure that your information is secure. Such new technology, however, is not cheap and comes with a host of promises, including the promise that this will be the “last time” you will ever have to again deal with security issues during your tenure. To determine how long you can get by with what you already have, be sure to discuss with your CISO whether manufacturers of your existing software and hardware regularly produce security threat fixes. If so, your agency can apply these security fixes and avoid unnecessary new purchases.
Everyone is now talking about “going to the cloud” as a way to reduce technology costs. OMB has issued a directive encouraging agencies to increase the use of cloud. It would be easy to become another cloud enthusiast, especially since “parking data” outside of your walls appears to be less costly and more convenient. You should engage your CISO in a conversation about the cloud that asks the following questions:
While it is tempting to leave “technical” matters to others on your staff to handle, it is important for you to spend time working with your CISO to assure yourself that the agency is not highly vulnerable to security threats. Security problems have derailed political executives in the past and distracted from them their programmatic agenda. Time spent upfront on security will allow you to spend more time on your program agenda throughout your tenure.
Werner Lippuner is a Principal at Ernst & Young and a contributor to Paths to Making a Difference: Leading in Government. He leads the Ernst & Young IT Risk practice; Dhavan Mehta is a Senior Manager at Ernst & Young and a leader in their Information Technology Risk Assurance practice.