CSO

DHS Secretary Says Cabinet-Level IT Position Unnecessary - Napolitano addresses role of cyber security czar, calls for individuals to take personal responsibility by practicing better security habits. The secretary of the Department of Homeland Security (DHS) basically dismissed the concept of a cabinet-level IT position for technology and cyber security, noting that IT networks and services underlie most operations today.

When I see such statements coming from the DHS Secretary my first reaction is to be completely flabbergasted at such statements. First of all to call it an 'IT Position' does it complete injustice. To minimize Cyber Security to a role buried within IT is not the way to solve today’s problems and help mature Cyber Security to the point when you can ‘secure what you own.’ Getting individuals, CIOs, CTOs, CEOs, COOs, CFOs to practice better security habits is like trying to get them to eat better.  It will only occur when forced to make a life-style change or suffer death.

No one is asking for the Cyber Security cabinet-level position to segregate security out from IT. What we are asking for is Cyber Security to take on the role of risk and risk oversight to coordinate and centralize the focus.  The bury-your-head-in-the-sand approach that exists today in the federal government (as demonstrated by her comments and the current lack of leadership in this area) coupled with many commercial organizations that still bury Cyber Security within operational IT roles, ensures cyber security, assurance and risk professionals will continue to spend their careers in low-level roles that get little budget and little support.  The only time support is obtained is after a security issue occurs.

Napolitano’s statements and position set Cyber Security back 10 years.

DHS Secretary Janet Napolitano delivered an unprecedented Web address this morning -- which came on the heels of a video address on cyber security by President Obama last week -- urging citizens and businesses to help in the fight against cybercrime and cyber attacks, and detailing her department's role in the fight. In a brief Q&A session following her online speech, Napolitano said, "It's really hard to segregate [IT] out."   

Ah yes, that age old argument that Cyber Security is only about IT and there is no need for a leadership position at the cabinet level to handle this oh so critical role.  Her neighborhood watch approach to Cyber Security is a naïve approach to the problem. 

"I'm not sure that I think that a cabinet-level position is necessary. And the reason is that cyber runs through everything that we do as a government," she said when asked why there was no cabinet-level IT position. "I think one of the things we're learning as we enter this new cyber arena is that segregating it into an IT function is no longer adequate. Again, as my remarks suggested, cyber is part of everything we do, from the most basic transaction."

If Cyber Security is part of everything we do, then how can you not have a cabinet-level position to manage the issues?  The ‘should-be’ statements are just that and not what is in place today. Really sounds like a hope and a prayer.  Cyber Security has not matured to the point where it can be minimized. In order to bring Cyber Security to the forefront of every agency, every commercial organization, it must be matured and operationalized.  In my experience, many times you must centralize the effort to mature it to the point of where it can be operationalized before you can move it to where it should be. Napolitano is making a great leap of faith that we are at that point in the Cyber Security maturation cycle and this leap is much like Evel Knievel’s jump across the Snake River. It is just not going to happen. 

Cyber should be "part of our thinking in all departments," she said. "But added to that now, the president has included a chief technology officer -- a chief information officer -- in the White House, and he will be appointing a coordinator for cyber within the White House to help make sure that cyber is part of all that we do throughout the vast array of the federal government as we move forward."

Now that we have a CIO and CTO, the Cyber Security slot is destined to be buried as it is in most organizations; within IT and seen as only an IT position and not the risk position that it should be with a focus on information.  The CIO and CTO should be protecting and securing what the own but they do not give it the attention it deserves.  All security professionals know this.  A Cyber Coordinator does not give Cyber Security the proper placement and authority it deserves as indicated as much be the title as the fact we do not have one anything in place to date.

"Just as with our nation's preparedness for natural disasters or terrorist attacks, our nation's cyber security is a shared responsibility," Napolitano said in her Web address. "And it's an opportunity for you as an individual to personally contribute to our national security. Securing your home computer helps you and your family, and it also helps your nation in some very important ways.

Napolitano’s response is to align Cyber Security to incidents where everything is local. Such a tactical approach to Cyber Security belittles the need for strategic, risk-based oversight that is required. 

Napolitano spelled out what individuals can do to help their own security as well as that of the nation: install firewalls, run and ensure that antivirus and anti-spyware is up-to-date, and check computer settings so that operating system and applications are patched automatically.

Leaving this to merely a technical issue of firewalls and anti-x is part of what the CIO and CTO should be doing but again, we come back to ‘should be.’

"Practice good online habits by not visiting suspect sites, downloading suspicious documents or attachments, or opening email from people you don't know. Back up your files regularly, use strong and secure passwords, and begin educating your children early about staying safe online," she said.

Here we are nearing the end of 2009; data is being lost and stolen at record rates; the government and commercial organizations are being scanned, probed, attacked, infiltrated and exfiltrated at unprecedented levels using means that exceed our capabilities yet we are still burying our heads in the sand when it comes to Cyber Security.  To whom will the fingers point when the next major cyber attack or major breach in the government occurs?  Let’s hope it is at those who currently make the decisions and not the security professionals who slog through the mud of no authority, limited funding and massive responsibility.