Too Many CISOs Are Spoiling Feds' Cyber Response

An overabundance of cybersecurity leaders across federal agencies is hindering the government’s ability to adapt to the changing digital landscape, according to a top Homeland Security Department official.

Agencies must be able to act swiftly to keep their tech ecosystems secure against a constantly evolving array of digital threats, but excessive bureaucracy within the federal cyber community is impeding that quick action, according to Mark Bristow, director of the hunt and incident response team within Homeland Security’s National Cybersecurity and Communications Integration Center. Though it’s critical to have different groups weigh in on cybersecurity policies, he said, today there are too many cooks in the kitchen to execute a coherent, unified strategy.

“We have too many [chief information security officers] in the government,” Bristow said Tuesday at the Cyber Summit hosted by Nextgov and Defense One. “I understand why they’re there...but it really gets in the way of setting strategic vision. You have all these people who have slightly conflicting guidance and opinions...and what happens is you start to get organizational stagnation because you can’t make any decisions, and therefore you can’t make any progress.”

And according to Bristow, adversaries are already exploiting that stagnation.

Related: America Needs a Whole-of-Society Approach to Cybersecurity. ‘Grand Challenges’ Can Help.

Related: NSA Launches Cybersecurity Directorate

Related: The World Needs Twice as Many Cybersecurity Pros, Report Says

“They know that this is how this works, they count on it with their tactics and techniques,” he said. “We need to flip our operational paradigm in a way that frustrates the adversary."

Bristow isn’t the first federal leader to raise concerns about excess bureaucracy in the cyber community—in January, Rep. Jim Langevin, D-R.I., saidcongressional efforts to bolster the country’s security posture are hindered by the numerous committees that want to weigh in. 

But bureaucracy isn’t the only organizational hurdle that limits the government’s ability to rapidly respond to cyber threats.

The high turnover among agency chief information officers and chief information security officers also limits agencies from executing a consistent digital strategy, according to Nick Marinos, director of the Information Technology and Cybersecurity team at the Government Accountability Office. When these executives leave, agencies not only lose institutional knowledge but they also often need to change their approach to accommodate the new leader’s digital priorities.

“When you have a lot of knowledge and wisdom that may have been there for several years and then that goes out the door … the real question is, ‘OK, what happens next,’” he said during the panel.

Bristow also noted the government’s one-year funding cycles make it difficult for agencies to commit to long-term cybersecurity improvements, especially when budgets are so inconsistent from one year to the next.