Skip to main content

Justice, Fairness, Inclusion, and Performance.

Rocky Mountain Credit Union

Advice for New Political Executives: Three Questions to Ask your Chief Information Security Officer

January 10, 2016


If you have previously served in government, most of the job titles you encounter will be somewhat familiar. There will be one exception. In recent years, another position has been added to the government C-Suite -- the Chief Information Security Officer (CISO). The responsibilities of the CISO include:

  • monitoring the security of your organization’s data and infrastructure,
  • mitigating and remediating vulnerabilities, and
  • collaborating with others across government to deal with risks that originate outside your agency.

As you know, cybersecurity has been receiving much attention over the last several years. Congress is now working on the Cybersecurity Act of 2012.


You are likely to somewhat intimidated by the technical nature of this position, but there are key questions you should be asking to reassure yourself that your agency is not vulnerable to security missteps which could severely harm the agency. You are probably familiar with the role of the Chief Information Officer (CIO). Today, the CIO and CISO work closely together. You are likely to encounter both of them at the briefings you will receive after your confirmation.

The CISO is a key part of your team and can keep you and your agency from being embarrassed by a front page story about a security lapse. Further, the CISO’s issues should be on your management agenda. Here are three questions you should ask during your initial meetings with the CISO.

Question One: Are people in your agency trained to protect information?

For example, do your employees know that data loss is possible when they copy material onto a flash drive and walk out the door? Or do they errantly leave their computers on without logging out, making the agency vulnerable to having information stolen? Other common problems are leaving computers with secure data in their car and having it stolen. You can ask your CISO whether the agency has an effective training program to teach employees to minimize security dangers. In asking about the training program, find out whether the issues below will be discussed:

  • Will employees be taught not to copy information onto portable devices?
  • Will employees be taught how to store passwords?
  • Will employees be taught not to open attachments in unknown e-mails or respond to chain e-mails?

Question Two: What technology does your agency actually need to buy for adequate security?

It is likely that technologists in your agency will want the latest, newest version of technology to ensure that your information is secure. Such new technology, however, is not cheap and comes with a host of promises, including the promise that this will be the “last time” you will ever have to again deal with security issues during your tenure. To determine how long you can get by with what you already have, be sure to discuss with your CISO whether manufacturers of your existing software and hardware regularly produce security threat fixes. If so, your agency can apply these security fixes and avoid unnecessary new purchases.

Question Three: What benefits will your agency receive by going to the cloud?

Everyone is now talking about “going to the cloud” as a way to reduce technology costs. OMB has issued a directive encouraging agencies to increase the use of cloud. It would be easy to become another cloud enthusiast, especially since “parking data” outside of your walls appears to be less costly and more convenient. You should engage your CISO in a conversation about the cloud that asks the following questions:

  • What is the status of your agency movement to the clouds?
  • What has the agency learned from prior cloud deployments at other federal agencies?
  • What are the quantifiable and financial benefits that your agency will be receiving from moving to the cloud?

While it is tempting to leave “technical” matters to others on your staff to handle, it is important for you to spend time working with your CISO to assure yourself that the agency is not highly vulnerable to security threats. Security problems have derailed political executives in the past and distracted from them their programmatic agenda. Time spent upfront on security will allow you to spend more time on your program agenda throughout your tenure.

Werner Lippuner is a Principal at Ernst & Young and a contributor to Paths to Making a Difference: Leading in Government. He leads the Ernst & Young IT Risk practice; Dhavan Mehta is a Senior Manager at Ernst & Young and a leader in their Information Technology Risk Assurance practice.