Grant Schneider, the Federal government’s chief information security officer, said the Office of Management and Budget (OMB) is aiming to provide “maximum support” to Federal agencies as they work to improve network security.
During a panel discussion today at the Billington Cybersecurity Summit, Schneider said during his tenure at OMB the agency has tried “to establish the ground floor of expectations for Federal agencies” on cybersecurity.
Working in partnership with the Department of Homeland Security, “we really want to be there as a support structure” for agencies on cybersecurity improvements, the Federal CISO said, including by providing CyberStat reviews that typically address information security risk and identify areas that need improvement.
Speaking on the same panel today, retired Air Force Gen. Greg Touhill – former Federal CISO and now president of Cyxtera Federal Group – said the focus during his tenure as Federal CISO in 2016 and 2017 included “changing the narrative” on cybersecurity to a risk management issue, rather than a compliance exercise.
He also pointed to the Department of Homeland Security’s Continuous Diagnostics and Mitigation (CDM) Program as a “critical factor” for helping improve Federal agency security success during his tenure with the government.
Schneider underscored the importance of moving away from a compliance-only mindset on security when asked to offer advice on improving security. “Talk about risk with your senior leadership,” he advised, including mitigation capabilities, and risk tolerance. Then, he said, “focus on fundamentals” including due diligence and patching known vulnerabilities.
Touhill urged a mindset that creates a “proportionate defense” of networks based on the classification and value of information being protected. “We have to make sure we are protecting the crown jewels,” he said, adding, “don’t spend a bazillion dollars on [protecting] something that’s not worth the squeeze.”
Asked about pressing current threats, Schneider said he was tempted to say nation-state cyber threats in general, but instead chose to simply reply, “China.” He described it as “that one particular nation-state … with the capacity and the intent. That worries me.”