Advice from a recovering Public-Sector CISO

Several weeks ago I wrote an article on comparing some of the differences I had noted over the last eighteen months between serving as a public-sector CISO versus a private-sector CISO. That article was written in response to many long discussions I had with my peers who were intrigued by these differences, and if I found things that I thought were unique could I please write about them.

Two weeks after writing that article one of the veterans I have mentored, who works in the cybersecurity community, informed me that he was looking at taking his first CISO role. This new role would be in the public sector, and he wanted to speak to me about some of the new challenges he expected to face. In preparing for our discussion, I started writing down some notes about issues I had seen or hacks I believed would help him be successful. I wanted to make sure I covered things that would be of some worth to him in his new job. After much thought and writing five pages of notes, I realized I had another article. The following discussion is based on insights I have learned over the last ten years as a CIO and CISO for the Federal Government and a large municipality. Understand this information is advice, not some hard set rules, they are “hacks” and observations I learned through trial and error; I hope you find them of interest and they provide you some value or at least a good laugh – enjoy!

1.     Who are you reporting to as CISO? – I bring this issue up first because you will find most public sector CISO positions will have the CISO reporting to the CIO.  In the private sector, the CISO can report to anyone from the CEO, Legal, CTO, etc. The old reporting structure of having the security program inside the department of IT has matured and changed in private industry, but in a government setting, there is no drive like revenue to push an organization to be innovative and look at new departmental structures to manage risk. So understand you will most likely be reporting to a CIO which is neither good nor bad but there are some things you will want to know, and these usually aren’t advertised in the job description. One of the first points you need to be aware of if you have never reported to a CIO is they run on an operational mindset that is focused on providing daily enterprise IT services. While, as a CISO, you will operate in a different long-term risk orientated mindset as you build your security program and implement its controls. These two different viewpoints can be good, just understand CIOs like to control change as they manage operations, and as a CISO, you are a change agent, so be aware of possible contention. Another issue I have found that may cause problems is around your budget. You will want to know if you control your budget or does the CIO manage it and you have to justify each line item. I have had both options and found having more control of the budget allowed me to be flexible to changing threats and business requirements. However, it also means your mistakes are more visible, so keep that in mind. One last point I want to make about this subject, in reporting to a CIO expect that they will be interfacing with executive leadership, not you. If this is your first CISO role, then that may be a good thing because you can learn from them. I have had CIOs as excellent mentors, with that said make sure if they are presenting to executive management you are in the room so you can learn and be ready professionally when it is your turn.

2.     Relationships are invisible landmines – As a new CISO in the public sector, one of the first things I found interesting was many of my stakeholders had been in their positions for years. The amount of institutional knowledge they had in their heads was amazing. I also found that many of my team members had served in various departments while working at the organization over the years and they knew who was the subject matter experts we needed to have champion our new security program. Using my team member’s insights, I proceeded to meet many of my new stakeholders to understand their needs. In this process, I found because a large number of these employees had been at my organization for years there were extensive relationship connections that ran behind the scenes between the various departments, business teams and employees. As a CISO you are a change agent, and you must be aware of these relationships otherwise it's like walking into an invisible minefield. These relationships can help you get things done quickly; they can help you evangelize your security program and the value it brings to the business. As a CISO in the government sector, understand the relationships around you, cultivate them when needed and build some of your own for the success of your program.

3.     Risk management framework, small issues to drive change - in the public sector, you will find your primary risk management framework will in most cases be NIST. Now there may be others such as PCI DSS if your organization accepts credit cards for payment, but you will need to get comfortable with the various NIST special publications. So as you settle into your new role think about doing a risk assessment, so you understand your new organization's risk exposures. For myself, I always like to assess my new organization after I have been there for at least thirty to sixty days. I do this assessment because I want my own view on my new organization's operational risks. As I proceed to do this risk assessment, I recommend using CIS 20 first because it’s an easy to use framework that gives an executive view of the organization's current risk baseline. My rule of thumb for using the CIS 20 is once the assessment is complete if my organization scores at least 70 percent or better I will transfer the findings to the NIST CSF because we are mature enough to use a more in-depth risk management framework. My advice to you as a new CISO if you are not familiar with NIST ask for help. It is not convoluted and vague to understand as ISO can be. Instead, NIST is pretty in-depth, and you can get lost in the minutiae of sub-controls so reach out to peers if you need assistance. Once you have done the CIS 20 and have crosswalked the findings to NIST CSF prepare a list of findings that will need remediation. Take these findings and get your stakeholders to help you prioritize them. Then with this list of issues, break them into small pieces. I would have you and your teams focus on the top five issues first. Work the top five issues for the next quarter and as one initiative becomes remediated slide another into its place. Remember, in a government setting you don’t get to do large amounts of change so take these small projects and incrementally drive change one initiative at a time.

4.     Procurement in the Public Sector is a trial of perseverance – It is important that as you meet your stakeholders, you get a solid briefing on how your procurement cycle works in your new government position. Right away you will see that there is an acknowledgment from employees that the funds you spend belong to the taxpayer, so there is an amazing amount of visibility that goes into anything that you purchase. Don’t be surprised that there are specific spending levels and at each level, you may have to get multiple quotes or document why you can only use a sole source vendor.  Also, understand everything will have to be reviewed by multiple departments so a purchase in the private sector that takes 2-4 weeks will usually take up to 3 months or more in the government. As a CISO I used this delay to my advantage and worked to get extra discounts if I could get it done sooner, I would then try to walk it through as much as possible to save funds and speed up the process.  If you plan to try speeding up your procurement process, make sure your procurement representatives are on board and be prepared to do extra paperwork. Nothing in government gets purchased without lots of paperwork.

5.     Time and Decision Making run differently in the public sector – You will find working as a government CISO that you will have meetings about meetings. This need to have meetings to discuss everything used to drive me crazy at first, but over time I realized that in a government environment time is viewed differently. In the private sector, the organization focuses on the micro level, and revenue and quarterly earnings results drive decisions quickly to take advantage of new opportunities or to make changes to reduce the impact of adverse decisions. In government, it is more of a macro level far-term view of operations without the revenue drive there to influence business needs. As a public sector CISO, you will see that there are longer timeline views about projects and the sense of urgency to make decisions is very different. You will also find in government that decision making tends to be a group effort. Coming from a military background where I discussed issues with my team but I would have the final say to an environment where we would have meetings to talk about issues and then meetings to make a decision was mind-numbing. However, I realized in my new organizations business culture the extra time we spent was about doing the proper due diligence to show we were managing the taxpayer's dollars entrusted to us correctly – which takes time, so get used to the slower pace.

6.     Technology change is convoluted at best -  In private industry the business will change its technology to capture market share or better position itself to bring products and services to its customers. None of these factors apply in the public sector, for the Federal Government technology upgrades are managed by higher authority, and the selected hardware, software, and cloud services have to meet specific testing requirements and be on an approved list before we could purchase them. This, of course, leads to you always feeling your are one revision behind but its how technical change is managed to control what is deployed on the massive government networks. On the municipal side, I never had to deal with getting other agencies to bless what I needed to purchase; it instead was a matter of funding and impact on other departments business operations. In Federal Government, I found as a CISO they were trying to consistently upgrade where they could, however on the municipal side city’s are packrats and will keep and use a technology long past when it is safe. As a public sector CISO, you will fall into one of these categories and find you want to scream about the threats that they are opening the organization up too if they don’t upgrade themselves. Don’t do it, "Fear – Uncertainty – Doubt (FUD)", does not work well in a government environment. Instead, talk about the loss of services or the new services that can’t be taken advantage of because the organization is using legacy equipment. This issue of shadow IT, legacy equipment and services, and the slow process for replacing them will be one of the issues you will have to help manage. To be successful at this, leverage your stakeholders and new relationships and get them to evangelize for you the value of keeping your organization's technology portfolio as current as possible.

In closing, I hope I have provided an inside view into some of the challenges a public sector CISO faces and the different ways I learned to adjust and manage them. For those of you in our community looking for their first CISO role, I would recommend you look to the public sector. This sector always needs good security leaders, and it is the ideal environment for a new CISO to learn how to build a security program and lead their first teams. I worked in this sector for over ten years in multiple positions and never regretted it. Many of the skills I learned there have made me successful in private industry today as the Global CISO for Webroot. Don’t forget, in the cyber community we collaborate so as you start your new role don’t be afraid to ask for help – security thrives through us helping each other.    

***In addition to having the privilege of serving as Vice President and Chief Information Security Officer for Webroot Inc., I am a co-author with my partners Bill Bonney and Matt Stamper on the CISO Desk Reference Guide Volumes 1 & 2. For those of you that have asked, both are now available on Amazon, and I hope they help you and your security program, enjoy!