Among the many roles federal chief information security officers play in their agencies, normalizing a culture around cybersecurity and bringing it to the forefront of their agencies’ leadership is one of their biggest tasks.
For CISOs at the departments of Health and Human Services, Veterans Affairs, Homeland Security and beyond, this effort comes with its own set of challenges.
“I looked at the landscape at my organization and realized how siloed cybersecurity was and that we really need to speak the language of the mission and the program that we’re dealing with and make it relevant to them,” HHS CISO Janet Vogel said at ACT-IAC's Imagine Nation ELC in Philadelphia Tuesday. “If people get too frightened by what you’re saying, they’re going to tune you out, and yet they have to know the basics for their everyday life.”
Community outreach has been a key strategy for Vogel to communicate the importance of cybersecurity to the agency in an easily consumable way. Having annual cybersecurity training did not engage personnel in an effective way, so Vogel tried to make it more engaging to drive the impact of cybersecurity into the agency's mission.
“We looked at each organization, what their goals were and tied into them,” Vogel said, adding that she saw experiential learning was a strategy that she saw people liked. “We implemented a ‘several birds of a feather’ type of activity where we got groups together to share their experiences. So we’re not telling them — we’re asking.”
Vogel launched other experiential learning programs at HHS, such as having a “cyber escape room” for hands-on learning, as well as speed matching, where CISOs discuss and share best practices. Other initiatives include reading out to the health care community through portals HHS has created.
“All we have to do now is talk to our customers that are in the community,” Vogel said. “It has to be in plain language, and it has to be in a medical terminology that they understand.”
Department of Education CISO Steven Hernandez echoed Vogel’s comments, saying that one of the most important ways he’s been able to communicate cybersecurity priorities to his agency as been through “being able to tell a story and being able to explain where we’re coming from, where we’re going and what’s important to the stakeholder."
Strategically, accomplishing effective communication of cybersecurity priorities requires a balance of mission and security, DHS CISO Soldenise Sejour said. She said she does this by bringing integrated teams of different stakeholders together.
“The collaboration and integration has really led to not only building secure solutions, but also resolving conflicts and resolving conflicts at the beginning and not the end, helping avoid that back and forth against an operation,” Sejour said. “On top of that, which I think is the best outcome of the collaboration, is it builds a trust and transparency. So [it goes] back to Janet’s comment on silos and breaking down those barriers.”
At VA, breaking down barriers between cybersecurity and agency mission means stacking priorities and mapping them out fiscally to project tangible progress and results to leadership.
“That priority stack is very valuable," said VA CISO Paul Cunningham. "If you do get a plus-up and we are successful in justifying our money, we’re going to get that additional dollar. We know exactly where we want to put it and get the biggest bang for our buck.”
Likewise, one of Department of Energy CISO Emery Csulak's top tasks is to "sell cyber to the agency."
The CISOs all agreed that their main job is to make cybersecurity easier for their agencies to accomplish and, as Hernandez said, to “know the risk, provide a way.” They underlined that customer experience, community outreach and engaging their organizations’ leadership and personnel effectively are critical ways they accomplish the CISO mission.