There are few individuals who understand government cyber and information security challenges like Mark Weatherford. Formerly the deputy undersecretary of cybersecurity at DHS, the chief security officer at the North American Electric Reliability Corporation, the chief information security officer of California and Colorado, and an experienced private sector professional, Weatherford’s 25-year career has provided him a unique perspective on dealing with the complex challenges of information security. He spoke to WashingtonExec about those challenges, and just what it takes to overcome them.
The Art of Security
Since writing his graduate school thesis on information security in the early ‘90s, the only thing that has stayed the same about cybersecurity is its rapid rate of change. “The things I’m worried about today are not the things I’m going to be worried about tomorrow,” Weatherford said. “Cybersecurity keeps you fresh, keeps you thinking on your toes.”
It takes open-mindedness and creative thinking to succeed as a security professional, but that can be hard in government. “One of my challenges working in and with the government at the federal, state and local levels is that many folks who work in government have never done anything else, so they don’t have any perspective other than how the government does things, and that’s very limiting to them,” he said.
At the same time, it is important to recognize the way the private sector deals with information security is not necessarily going to translate smoothly to the government space.
You Can’t Copy the C-Suite
Weatherford has been a chief information security officer at the state level twice (once in California and once in Colorado). But replicating the role on the federal level is not the same. In the real world, Weatherford said, a CEO or a chief information security officer has real operational responsibilities.
“They’re responsible for making things happen, for securing their organization, for hiring people, building a budget,” but those functions are already served by agency heads and others in the existing federal government structure. The federal CIO and CISO created by former President Barack Obama’s Cybersecurity National Action Plan are more like advisers than executives. “It’s easy to put a title on someone, but if they don’t have the operational authority that typically goes with the CISO title, they’re missing part of the equation there,” Weatherford said.
But You Can Use It as a Model
That doesn’t mean we should get rid of the federal CISO and CIO entirely, however.
“One thing that I have long talked about—some agree, some don’t—is that I think there needs to be a federal CISO that has actual authority over all the agencies.” Weatherford said.
This CISO wouldn’t have operational authority, because he or she could never fully know what’s going on across the hundreds of federal agencies. Each agency would have its own CISO, but if those CISOs were not spending their budget wisely, or if they were to continue to have cybersecurity incidents, the federal CISO could step in and redirect. “I went through this in California and Colorado where I never had direct-line authority, but I had dotted-line authority,” Weatherford said.