Recently, I wrote an article comparing some of the differences I had noted over the last 18 months between serving as a public-sector Chief Information Security Officer versus a private-sector CISO. That article was written in response to many long discussions I had with my peers who were intrigued by these differences.
Soon after writing that article, one of the veterans I have mentored, who works in the cybersecurity community, informed me that he was looking at taking his first CISO role. This new role would be in the public sector, and he wanted to speak to me about some of the new challenges he expected to face. In preparing for our discussion, I started writing down some notes about issues I had seen or hacks I believed would help him be successful. I wanted to make sure I covered things that would be of some worth to him in his new job. The following observations are based on insights I have learned over the last 10 years as a CIO and CISO for the federal government and a large municipality. Understand: This information is advice, not some hard rules; they are “hacks” and observations I learned through trial and error. I hope you find them of interest and they provide you some value or at least a good laugh — enjoy!
Whom are you reporting to as CISO?
I bring this issue up first because you will find most public-sector CISO positions will have the CISO reporting to the CIO. In the private sector, the CISO can report to anyone from the CEO, Legal, CTO, etc. The old reporting structure of having the security program inside the IT department has matured and changed in private industry, but in a government setting, there is no drive like revenue to push an organization to be innovative and look at new departmental structures to manage risk. So understand, you will most likely be reporting to a CIO, which is neither good nor bad, but there are some things you will want to know, and these usually aren’t advertised in the job description. One of the first points you need to be aware of if you have never reported to a CIO is they run on an operational mindset that is focused on providing daily enterprise IT services. As a CISO, you will operate in a different long-term risk-oriented mindset as you build your security program and implement its controls. These two different viewpoints can be good; just remember that CIOs like to control change as they manage operations, and as a CISO, you are a change agent, so be aware of possible contention.
Another issue I have found that may cause problems is around your budget. Do you control your budget, or does the CIO manage it and require you to justify each line item? I have had both options, and found that having more control of the budget allowed me to be flexible to changing threats and business requirements. However, it also means your mistakes are more visible, so keep that in mind. One last point: In reporting to a CIO, expect that they — not you — will be interfacing with executive leadership. If this is your first CISO role, then that may be a good thing because you can learn from them. I have had CIOs as excellent mentors; just make sure that if they are presenting to executive management, you are in the room so you can learn and be ready professionally when it is your turn.
Relationships are invisible landmines
As a new CISO in the public sector, one of the first things I found interesting was that many of my stakeholders had been in their positions for years. The amount of institutional knowledge they had in their heads was amazing. I also found that many of my team members had served in various departments over the years, and they knew the subject matter experts we needed to champion our new security program. Using my team members' insights, I proceeded to meet many of my new stakeholders to understand their needs. I found that there were extensive relationship connections that ran behind the scenes among the various departments, business teams and employees. As a CISO you are a change agent, and you must be aware of these relationships; otherwise it's like walking into a minefield. These relationships can help you get things done quickly; they can help you evangelize your security program and the value it brings to the business. As a CISO in the government sector, understand the relationships around you, cultivate them when needed, and build some of your own for the success of your program.
Risk management framework
In the public sector, you will find your primary risk management framework will in most cases be NIST. Now there may be others such as PCI DSS if your organization accepts credit cards for payment, but you will need to get comfortable with the various NIST special publications. So as you settle into your new role, think about doing a risk assessment, so you understand your new organization's risk exposures. I always like to assess my new organization after I have been there for at least 30 days. I do this assessment because I want my own view on my new organization's operational risks. As I proceed to do this risk assessment, I recommend using CIS 20; it’s an easy-to-use framework that gives an executive view of the organization's current risk baseline. My rule of thumb for using the CIS 20 is that once the assessment is complete, if my organization scores 70 percent or better, I will transfer the findings to the NIST CSF because we are mature enough to use a more in-depth risk management framework. As a new CISO, if you are not familiar with NIST, ask for help. It is not convoluted and vague to understand as ISO can be. Instead, NIST is pretty in-depth, and you can get lost in the minutiae of sub-controls, so reach out to peers if you need assistance. Once you have done the CIS 20 and have crosswalked the findings to NIST CSF, prepare a list of findings that will need remediation. Take these findings and get your stakeholders to help you prioritize them. Then with this list of issues, break them into small pieces. I would have you and your teams focus on the top five issues first. Work the top five issues for the next quarter and as one initiative becomes remediated, slide another into its place. Remember, in a government setting, you don’t get to do large amounts of change, so take these small projects and incrementally drive change one initiative at a time.
Public procurement requires perseverance
It is important that as you meet your stakeholders, you get a solid briefing on how your procurement cycle works in your new government position. Right away you will see that there is an acknowledgment from employees that the funds you spend belong to the taxpayer, so there is an amazing amount of visibility that goes into anything that you purchase. Don’t be surprised that there are specific spending levels, and at each level, you may have to get multiple quotes or document why you can only use a sole source vendor. Also, understand that everything will have to be reviewed by multiple departments, so a purchase in the private sector that takes two to four weeks will usually take three months or more in government. As a CISO, I used this delay to my advantage and worked to get extra discounts if I could get it done sooner. I would then try to walk it through as much as possible to save funds and speed up the process. If you plan to try speeding up your procurement process, make sure your procurement representatives are on board and be prepared to do extra paperwork. Nothing in government gets purchased without lots of paperwork.
Time, decisions differ in public sector
You will find while working as a government CISO that you will have meetings about meetings. This need to have meetings to discuss everything used to drive me crazy, but eventually I realized that in a government environment, time is viewed differently. In the private sector, the organization focuses on the micro level, and revenue and quarterly earnings drive decisions quickly to take advantage of new opportunities or to reduce the impact of adverse decisions. In government, it is more of a macro level, far-term view of operations without the revenue drive there to influence business needs. As a public sector CISO, you will see that there are longer-timeline views about projects, and the sense of urgency to make decisions is less acute. You will also find in government that decision-making tends to be a group effort. Coming from a military background, where I discussed issues with my team but I would have the final say, to an environment where we would have meetings to talk about issues and then meetings to make a decision, was mind-numbing. However, I realized that in my new organization's business culture, the extra time we spent was about doing the due diligence to show that we were correctly managing the taxpayers' dollars. That takes time, so get used to the slower pace.
Changing technology: Convoluted at best
In private industry, the business will change its technology to capture market share or better position itself to bring products and services to its customers. None of these factors applies in the public sector. For the federal government, technology upgrades are managed by higher authority, and the selected hardware, software and cloud services have to meet specific testing requirements and be on an approved list before we could purchase them. This, of course, leads to you always feeling you are one revision behind, but it's how technical change is managed to control what is deployed on the massive government networks. On the municipal side, I never had to deal with getting other agencies to bless what I needed to purchase; it instead was a matter of funding and impact on other departments' business operations. In federal government, I found as a CISO that they were trying to consistently upgrade where they could, however on the municipal side, cities are packrats and will keep and use a technology long past when it is safe.
As a public-sector CISO, you will fall into one of these categories, and you'll want to scream about the threats they are opening the organization up to if they don’t upgrade themselves. Don’t do it: "Fear — Uncertainty — Doubt (FUD)" does not work well in a government environment. Instead, talk about the loss of services, or the new services that can’t be taken advantage of, because the organization is using legacy equipment. This issues of shadow IT, legacy equipment and services, and the slow process for replacing them will be among the issues you will have to help manage. To be successful at this, leverage your stakeholders and new relationships and get them to evangelize for you the value of keeping your organization's technology portfolio as current as possible.
For those of you in our community looking for their first CISO role, I would recommend you look to the public sector. This sector always needs good security leaders, and it is the ideal environment for a new CISO to learn how to build a security program and lead their first teams. I worked in this sector for over 10 years in multiple positions and never regretted it. Many of the skills I learned there have made me successful in private industry today. Don’t forget, in the cybercommunity, we collaborate, so as you start your new role don’t be afraid to ask for help. Security thrives through us helping each other.
Gary Hayslip is vice president and chief information security officer for Webroot and, with partners Bill Bonney and Matt Stamper, co-authored the CISO Desk Reference Guide Volumes 1 & 2.
