There are few individuals who understand government cyber and information security challenges like Mark Weatherford. Formerly the deputy undersecretary of cybersecurity at DHS, the chief security officer at the North American Electric Reliability Corporation, the chief information security officer of California and Colorado, and an experienced private sector professional, Weatherfordās 25-year career has provided him a unique perspective on dealing with the complex challenges of information security. He spoke to WashingtonExec about those challenges, and just what it takes to overcome them.
The Art of Security
Since writing his graduate school thesis on information security in the early ā90s, the only thing that has stayed the same about cybersecurity is its rapid rate of change. āThe things Iām worried about today are not the things Iām going to be worried about tomorrow,ā Weatherford said. āCybersecurity keeps you fresh, keeps you thinking on your toes.ā
It takes open-mindedness and creative thinking to succeed as a security professional, but that can be hard in government. āOne of my challenges working in and with the government at the federal, state and local levels is that many folks who work in government have never done anything else, so they donāt have any perspective other than how the government does things, and thatās very limiting to them,ā he said.
At the same time, it is important to recognize the way the private sector deals with information security is not necessarily going to translate smoothly to the government space.
You Canāt Copy the C-Suite
Weatherford has been a chief information security officer at the state level twice (once in California and once in Colorado). But replicating the role on the federal level is not the same. In the real world, Weatherford said, a CEO or a chief information security officer has real operational responsibilities.
āTheyāre responsible for making things happen, for securing their organization, for hiring people, building a budget,ā but those functions are already served by agency heads and others in the existing federal government structure. The federal CIO and CISO created by former President Barack Obamaās Cybersecurity National Action Plan are more like advisers than executives. āItās easy to put a title on someone, but if they donāt have the operational authority that typically goes with the CISO title, theyāre missing part of the equation there,ā Weatherford said.
But You Can Use It as a Model
That doesnāt mean we should get rid of the federal CISO and CIO entirely, however.
āOne thing that I have long talked aboutāsome agree, some donātāis that I think there needs to be a federal CISO that has actual authority over all the agencies.ā Weatherford said.
This CISO wouldnāt have operational authority, because he or she could never fully know whatās going on across the hundreds of federal agencies. Each agency would have its own CISO, but if those CISOs were not spending their budget wisely, or if they were to continue to have cybersecurity incidents, the federal CISO could step in and redirect. āI went through this in California and Colorado where I never had direct-line authority, but I had dotted-line authority,ā Weatherford said.
1 Comment
The increasing number of IoT devices has actually made it really difficult for cyber security firms to formulate security measures. DDoS attacks surely have took advantage of that. DDoS attacks multiplied by 68% in the past 5 years only. The key to avoiding a DDoS attack is constant monitoring of activities. DDoS Protection from PureVPN also comes handy which I personally use.