CISO’s at HHS, DOD, DOT, DHS and Northrop Chart Top Priorities in FY18

CISOs of four federal agencies and from the private sector discussed their cybersecurity priorities during the 8th Annual Billington CyberSecurity Summit, Sept. 13.

The entire panel discussion, Top Cybersecurity Priorities for CISOs in FY18–Implementing the Executive Order, is available to view here.

Panelists were:

Moderator: Brigadier General (Ret) Gregory Touhill, Former US CISO; President, Cyxtera Federal Group, Cyxtera Technologies


* Essye Miller, Deputy Chief Information Officer for Cybersecurity, CIO, U.S. Department of Defense

* John “Jack” Donnelly, Associate CIO for Cyber Security and CISO, U.S. Department of the Treasury

* Christopher Wlaschin, CISO and Exec. Director, Information Security, U.S. Department of Health & Human Services

* Jeffrey Eisensmith, CISO, Office of the CIO, U.S. Department of Homeland Security

* Dr. Michael Papay, Vice President and CISO, Northrop Grumman

Here’s an overview of key points panelists made back on September 13.

CISO Organizational Structure:

Papay:  It doesn’t matter where the CISO is placed in the organization. The most important aspect is for the CISO to have a great relationship with the CIO.

Donnelly:  With his work with the banking industry, he sees a move towards placing the CISO in the security organization and put under the Chief Risk Officer. He added, “I wouldn’t mind seeing that transition in government.”

Eisensmith:  Two years ago the DHS Undersecretary for Management led a cyber scrub quarterly.  Having a very senior leader resulted in being able to push significant changes through the department.

Top Threats and Needed Investments: 

Miller:  At DoD, Miller is working to ensure that industry partners and small businesses are focusing on the same goals.  Investments are important, but they need to holistic—the whole of government and with industry partners.

Eisensmith:  The biggest threat continues to be the insider threat—whether intentional or unintentional. The unintentional threat really causes havoc on an everyday basis. This is followed by spear phishing.

Papay: Northrop’s goal is to respond to any threat within minutes.

Donnelly:  There is a critical workforce shortage. “We have resource shortage and then we have issues in terms of quality control.”

Risk Management and the EO: 

Miller:  The EO has moved the emphasis from compliance to risk assessment.

Eisensmith:  The EO required a team of operators not just the CIO to come up with action plans and raised it up to level where leadership was deeply involved.

Touhill:  The EO has put cybersecurity on the agenda of every department secretary.

Donnelly:   A key indicator for Donnelly when looking at risk is what is the number associated with the risk.  Is it a $2 million risk, or is it a $15 million risk?  Number and quantitative data is important in assessing risk.

Wlaschin:  80% of the HHS cyber budget is on respond and recover.  The CIO is moving the budget to address those risks well before they force you to respond and recover.

Benefit of the NIST Cybersecurity Framework:

 Papay: The NIST framework helps me communicate to the board of directors where we stand and how we’re doing.

Eisensmith:  The Cybersecurity framework is most useful for having conversations with senior leadership.

Holiday Wish List: 

Eisensmith:  Significant investment in the cybersecurity workforce–both in training and retention.

Papay: Tools that already come integrated with tools I already own.

Wlaschin:  Better communication and outreach to the private cybersecurity community.

Miller: “How do I get closer to automated patch management?” Her second Christmas wish is to span the ecosystem and tell me where my risk areas are.

The entire panel discussion, Top Cybersecurity Priorities for CISOs in FY18–Implementing the Executive Order, is available to view here.