Building DHS's All-Star Cybersecurity Team
A Conversation with Deputy Undersecretary Mark WeatherfordIn the words of Weatherford, Homeland Security deputy undersecretary for cybersecurity, Streufert is a "superstar" across the federal government, having won praise from IT security practitioners and policymakers as well as members of Congress for implementing a continuous monitoring program and risk scoring system at the State Department as chief information security officer. Weatherford tapped Streufert in January as director of DHS's National Cybersecurity Division.
See Also: How Enterprise Browsers Enhance Security and Efficiency
"You don't build a championship team with double-A ball players; we're recruiting a team of major leaguers," Weatherford says, adding that similar types of appointments will be coming in the next few months.
Creating an all-star cybersecurity team at DHS was among a number of subjects discussed in one of Weatherford's first wide-ranging interviews since Secretary Janet Napolitano tapped him as deputy undersecretary last October. Weatherford sat down with GovInfoSecurity at the recent RSA Conference 2012, when he addressed:
- DHS's increasing sway over determining how non-defense and non-intelligence agencies approach IT security, including the relationship he hopes to build with departmental and agencies CISOs.
- The federal government's role in ensuring the mostly privately operated national critical information infrastructure remains secure.
- Why Congress needs to pass comprehensive cybersecurity legislation.
- How his past jobs - as vice president and chief security officer of the North American Electric Reliability Corp. as well as CISO for California and Colorado state governments - provide valuable insights that should help him hurdle the challenges his new position presents.
Raising the Bar
The Streufert appointment helps boost one of Weatheford's major priorities: getting non-defense and non-intelligence agencies to implement the continuous monitoring of their IT systems to flag IT security vulnerabilities before they pose problems. "If we can give him the tools that he needs to do across the government what he did at the State Department, it is probably the most important thing that we can do to raise the bar for every federal government agency," Weatherford says.
Implementing continuous monitoring across the government will neither be easy nor cheap. Weatherford says he would use part of the extra $204 million the Obama administration proposes to be spent on security initiatives by DHS in the next fiscal year on continuous monitoring. "I want to be at a position to put that money where the government as a whole benefits the most," he says. "You don't put a $100 screen on a $5 window. You have to put the resources to work appropriately."
But even with more money - he didn't specify exactly how much - implementing government-wide continuous monitoring and other IT security initiatives will be tough, in part, because of a dearth of IT security practitioners in departments and agencies. "If I can wave a magic wand, it would be for talent, and not just for the government," Weatherford says. "The nation has to get better early on in identifying, cultivating and developing talent in cybersecurity. There is no more important imperative for the nation right now. Our technology challenges are getting harder, not easier, and we're not growing, developing the right kind of people that our nation needs 20 years from now."
Still, the problem is now, and the Obama administration sees addressing IT security governance as an enterprise - and not in fiefdoms of individual departments and agencies - as one way to more efficiently and effectively achieve cybersecurity government-wide. "It's probably no surprise that cybersecurity maturity across the federal government is not evenly distributed," Weatherford says. "I would like to focus where those agencies don't have the maturity, don't have the resources, don't have the manpower to do cybersecurity the way they want to or the way they should, and leverage resources from, perhaps. other agencies that have that kind of talent."
'Happy to be that Bad Buy'
Yet, the enterprise approach to IT security requires a diplomatic touch. Weatherford doesn't want angry departmental and agency CISOs who feel DHS and the White House Office of Management and Budget impose unfair solutions. "The last thing I would ever want to be is to be accused of being a dictator; you don't live long that way," he says.
As a leader, Weatherford sees himself as a collaborator, who works well with others. "I have figured out where strongpoints are and how to matrix those to the benefit of everybody," he say.
Weatherford does not envision an adversarial relationship with departmental and agency IT security leaders. In fact, he sees himself as sort of a foil to cabinet secretaries and agency directors who have shown a lack of enthusiasm in backing their CISOs in creating tough cyber defenses. "I told my CISOs in California all the time, 'Blame me, I will take the heat for you,'" Weatherford says. "I've been a CISO in organizations when like: 'Holy cow, I can't get what I need.' I'm more than happy to be that bad guy."
Having been a CISO helps Weatherford do his job. "I would not be comfortable in this job without the experience I have," he says. As important were the 1½ years Weatherford spent before joining DHS at the North American Electric Reliability Corp., the government-authorized, industry-run self-regulatory agency for America's bulk electricity producers. "What makes me valuable to this job is having had experience in a critical infrastructure sector like the electricity industry; I worked regularly with DHS and DOE (Department of Energy) when I was in the private sector, because we had to," Weatherford says. "It gave me a different perspective."
That perspective includes the realization that industry alone cannot decide how best to secure the nation's critical IT security infrastructure. The Obama administration [see Video: Schmidt Hopeful on Bill's Passage] and the Cybersecurity Act of 2012, legislation before the Senate [see Senators Unveil Major Cybersecurity Bill], would have the mostly privately owned operators of the critical infrastructure define the best ways to defend these vital networks but have the government - in some instance, DHS - ensure they follow through on those best practices. The role of the federal government would be to define a level of security to be achieved with industry then creating those standards.
Cybersecurity Act Advocate
"The government is not going to step in and say, 'OK, here's your new standard. I would be embarrassed to say that anyone in the government would presume to be smarter than the people who do this everyday for their living," Weatherford says. "Where we would weigh in on this is to set a security performance bar and let industry set standards to meet that performance level."
The Obama administration and the sponsors of the Cybersecurity Act have been lobbying heavily for passage of the legislation since some Republicans introduced an alternative cybersecurity bill that does not impose any form of standards or regulation on private-sector IT systems [see Partisan Showdown over Cybersecurity Bill]. Over the past couple of weeks, Weatherford has been the lead cheerleader for the Cybersecurity Act, having posted four blogs on the DHS website explaining why the legislation is necessary.
The deputy undersecetary sounds optimistic that meaningful, bipartisan cybersecurity legislation could be enacted this year. "People understand that it's time to do something, time to step up," Weatherford says. "Cybersecurity has reached that tipping point; you simply cannot ignore it any longer. We have to do something about it. I think we're in a good place and a good point in time. Even though things move slowly, the support is there for people to wisely make decisions on how we move forward."
Additional Summit Insight:
Hear from more industry influencers, earn CPE credits, and network with leaders of technology at our global events. Learn more at our Fraud & Breach Prevention Events site.