Integrity Blog

Five Facts about the New “Commission on Enhancing National Cybersecurity”

On 9 Feb 2016, President Obama directed his Administration “to implement a Cybersecurity National Action Plan that takes near-term actions and puts in place a long-term strategy to enhance cybersecurity awareness and protections, protect privacy, maintain public safety as well as economic and national security, and empower Americans to take better control of their digital security.”

As part of this overall plan, President Obama signed an Executive Order establishing a Commission on Enhancing National Cybersecurity and tasking it to provide recommendations that will “enhance cybersecurity awareness and protections at all levels of Government, business, and society, to protect privacy, to ensure public safety and economic and national security, and to empower Americans to take better control of their digital security.” The Commission’s report, which will be advisory in nature, is due to the President no later than 1 December 2016.

Interestingly, the Commission was established under the Department of Commerce, which has as part of its mission “… supporting a data-enabled economy,” and not under the auspices of the Department of Homeland Security, which has as one of its five core missions to “safeguard and secure cyberspace.” Aligning the Commission under Department of Commerce for this effort is a nod to the economic importance of cyberspace and reflects the Commission’s goals to include business and consumer aspects within its analysis and recommendations.

National media outlets widely reported some details about the CNAP, but less so about the Commission’s purpose and focus areas. For that reason, here are five facts about the Commission and its goals:

  1. The Commission will be comprised of not more than 12 persons. As this blog was being written, only two members had been publically identified [Wall Street Journal, 18 Feb]: The Chair of the Commission will be Thomas Donilon, a former National Security Advisor, and the Co-Chair will be Sam Palmisano, a former chief executive of International Business Machines Corporation.
  2. The Executive Order specifies that “the Commission shall identify and study actions necessary to further improve cybersecurity awareness, risk management, and adoption of best practices throughout the private sector and at all levels of government.” Already, the Government has the NIST National Initiative for Cybersecurity Education working to address cybersecurity awareness, and risk management is a key part of the NIST Cybersecurity Framework, so it will be interesting to see what the Commission recommends with regards to these topics.
  3. One of the Commission’s directed actions is to provide a recommendation for “ensuring that cybersecurity is a core element of the technologies associated with the Internet of Things [IoT] and cloud computing, and that the policy and legal foundation for cybersecurity in the context of the Internet of Things is stable and adaptable.” Manufacturers are rushing to put IoT devices on the market. How will the Commission’s recommendations impact that quickly growing market?
  4. Is your organization considered to be within one (or more) of the 17 “critical infrastructure” groups? The Commission’s future recommendations may be of interest to you. The Executive Order also directs that recommendations must be provided regarding “effective private sector and government approaches to critical infrastructure protection in light of current and projected trends in cybersecurity threats and the connected nature of the United States economy.”
  5. Prior lessons, trends, and other feedback are always great to include in analysis and program/process improvement. To this end, the Commission “shall seek input from those who have experienced significant cybersecurity incidents to understand lessons learned from these experiences.””

Are you interested in knowing more about the Commission’s objectives? You can read more on the White House’s web site at:

Information about the Cybersecurity National Action Plan can be found in the press release at:

It’s no secret that there is a labor shortage in the cybersecurity market. This shortfall of nearly 200,000 workers in the US is only expected to grow over the next 10 years. This makes finding the right fit for your information security position even more important. Let’s examine some tips for finding the best candidate for the role.

You must first understand if the role is a purely technical or if the role requires more business acumen and an understanding of IT risk management. The people who fill these roles are very different. A purely technical role is someone who is buried in technology. This individual is not asked to, nor do they want to make business decisions. This person is more hands-on and prefers to design and implement what others ask for.

A more blended role may be less hands on and may need to interface with non-technology business leaders. This individual needs to assess the risk and be able to suggest options for the business unit to consider in an effort to reduce risk. This person may ultimately implement the solution as well, but the skill set and methodology may be vastly different from the purely technical role. I’ve seen many companies hire a rock star security engineer and wonder why that individual is unable or unwilling to sit in business discussions regarding best approach. Make sure you know what you want from the individual and make it perfectly clear during the interview process.

Another differentiator is the “big picture” versus “all about the details”. People who are responsible for strategic thinking and long term vision planning aren’t always good with details or execution. If you need someone to set vision, who’s going to implement it? Who’s going to discover the problems the “vision” will encounter in the real world? On the flip side, those who focus on the details can get so wrapped up in the specifics, they lose track of the vision…or may never have pulled all the pieces together to create the vision in the first place. Know what you need from the position. Rarely will you find a person who excels in both the vision and execution. There are lots of people who do ok in both areas but don’t excel at either. Is that fine for your organization? Maybe, maybe not.

The last thing to consider is moving technical resources into management. One of the biggest problems I’ve seen in technology organizations is moving highly skilled resources into management because they understand so much about the technology. While this may be true and helpful in some regards, very little of a manager’s job is about technology. It’s about people and business. Most strong tech geeks are in technology for a reason. They’d prefer to work with things rather than people. While it may be a huge stereotype, there is a LOT of truth to it. Really search into why the technology minded individual wants to be a manager. If the first answer the individual gives isn’t “I want to help others advance their careers by sharing my knowledge and experience” or something really close, let the warning flags fly.

Finding experienced information security professionals is not a task for the light hearted. It takes a lot of patience and a lot time. Security professionals are not the same as technology professionals. Don’t try and take the same approach in recruiting. It won’t work. Due to the unique position in most organizations, finding the right cultural fit for the information security role is even more important. They won’t have a lot of peers, and they won’t have people who understand them and their mindset. This can create tension and conflict in a role that really needs to excel at keeping the peace and making rational decisions.

If you can understand what you really need from a position before the posting is released, you’ll be able to more accurately screen your candidates and make a hire that will fit well with the role and with the organization.

Selecting a CISO

I recently read a report that said the average tenure of a Chief Information Security Officer (CISO) is 17 months. Seriously? 17 months? Having been a CISO and working with CISOs on a daily basis, I know that some of this is simply due to the competitive nature of the position. If you’re a good CISO, the sky is the limit, and you’ll be getting calls from headhunters within weeks of landing at your new job. I tend to believe that much of the tenure problem is due to the fact that companies often choose a CISO who’s a bad fit for their culture or simply doesn’t truly understand their role in an organization.

So what makes a good CISO? How can companies make better decisions? What qualities should they look for when deciding if a candidate is right for them?

Risk Management Philosophy

Any CISO who truly understands what security is all about will start any information security discussion with risk management. It is critical to understand that not all risks should be addressed. We take risks every day when we drive a car, eat food prepared by others, etc. Business is no different. It’s all about taking risk. A good CISO understands this and tries to understand which risks are acceptable and which are not. They must be focused on helping the business succeed through the use of data and technology. Only then can they recommend controls to address the prioritized risk factors. Their job is to identify the risks and effectively communicate these to the business unit so that business decisions are driving the organization forward. If technology decisions are driving the business, bad things will happen.

“Let me help” not “Yes or No”

A huge mistake for any CISO is to think they have the authority to say yes or no. Accepting or rejecting risk is a job for business leaders. The job of the CISO is to help identify the risks and propose solutions to minimize the risk. Saying yes or no presumes the CISO is responsible for the business. They are not. Certainly they should be a trusted adviser and may even get a vote on the final outcome, but they shouldn’t be the end all be all. They are not the CEO. The CISO must be a trusted and impartial resource for the executive team. They need to truly understand how the business functions to help identify areas of risk, develop mitigation strategies, and present them to the business unit leadership.

Be a leader, not a manager

Being a CISO requires finesse. Sometimes a CISO needs to help people understand the current threat environment and teach them about the issues facing their organization. Security often has to be “sold” to the people it impacts the most. If they feel it’s being forced on them or impacting their daily job, they will rebel. The role of the CISO is to help people understand why the changes are necessary and to provide a safe environment for them to express concern or frustration. Having a hard edged CISO may help with short term goals but will often lose effectiveness over the long haul.

Choosing the right CISO can pay huge dividends. Identifying risks the executive team was unaware of and providing well thought out mitigation strategies that align with business objectives is invaluable. Ask any CEO what keeps them up at night, and they will tell you “the things I don’t know”. Choosing the wrong CISO is almost certain to affect your company’s culture and profitability.

Discover Intergrity's Virtual CISO, the strength and expertise of Integrity's information security team in one solution.
Get our blog posts delivered to your inbox: