The federal government needs to empower agency CISOs and do more to raise cybersecurity awareness among its workforce, as well as focus on recruiting and retaining cyber talent, the largest member organization for IT security professionals said in a letter released Monday.
In its letter to the newly minted U.S. CISO Greg Touhill, the International Information Systems Security Certification Consortium, known as (ISC)2, writes that “Accountability must be elevated several levels. If you don’t have the authority to hold others accountable, you cannot effectively address the problems. There needs to be clarity surrounding who is responsible for cyber incidents.”
“In the federal government, CISOs generally report to the CIO,” explained (ISC)2‘s Director of U.S. Government Affairs Dan Waddell in an interview Monday. That creates a “natural tension,” he said, because “the CIO is tasked to get these systems up and running … He or she is concerned about uptime.”
But the CISO has the responsibility to ensure the system is running securely, said Waddell, adding he favors “a governance structure in which the CISO and the CIO are peers,” rather than where the CISO reports to the CIO.
The letter also tells Touhill, “It is critical to distinguish between, and address the needs of, both the cyber workforce and the general workforce.”
“You need two different approaches,” said Waddell. Federal employees are “on the front line” of the cybersecurity conflict, he noted. “It takes one click of a mouse” on a malware-laden attachment or a malicious link, “to do serious damage to the organization … That could be anyone in your organization, it could be a contractor.”
Cybersecurity was “not a technology problem, it’s a people problem.” He said that the recommendations in the letter were drawn up by the (ISC)2‘s U.S. Government Advisory Council, based on the results of an extensive survey of federal practitioners.
Waddell said that current thinking about cybersecurity training was too focused on the need to train up specialists, and not enough on the workforce as whole.
“It’s got to be about educating the workforce in cyber[security] rather than just educating the cyber[security] workforce,” he said.
“Agencies must have training dollars set aside to train non-cyber employees,” reads the letter. “Resources must be dedicated to regular and continuous cyber hygiene training and simulation drills, cyber range activities and practical exercises that engage users at every level,” it adds.
It also urges a communications campaign for general IT users modeled on the Department of Homeland Security’s “See something, say something” slogan, but built around the five core principles of the National Institute of Standards and Technology’s Cybersecurity Framework — “Identify, Protect, Detect, Respond and Recover.” The campaign should also include good news stories about cyber successes “so that people know what works.”
Finally, the organization, which has 115,000 members in more than 160 countries, calls on Touhill and colleagues to double-down on efforts to retain cyber-specialists in the federal government. “Address waning employee morale. The retention imperative must resonate throughout the agency’s cybersecurity organization at every level,” reads the letter.
“There are some great examples of federal departments that are having some success retaining their cyber workforce,” said Waddell, citing a DHS program that offers bonuses and salary enhancements for cyber staff who obtain professional certifications, including the one that (ISC)2 itself offers, the Certified Information Systems Security Professional, or CISSP.
Waddell said they hoped Touhill would attend the next meeting of the government advisory council, to start a dialogue about cyber policy.