Commerce CISO: Cybersecurity is about more than technology


With the goal of building a cadre of highly-skilled cyber security experts, the Commerce Department tripled role-based training completion in three years and implemented an award-winning personally-identifiable information training program department wide.

"IT security training is a real big, big push for us at the department," said Commerce Department Chief Information Security Officer Rod Turk during a May 20 panel discussion at ACT-IAC's Management of Change Conference in Cambridge, Md.

But ensuring cybersecurity at the department depends on more than just technology, he said.

"Technology doesn't always carry the day when you need to present a program to a set of executives in a federated organization," said Turk.

Department CISOs and the teams that support them have to coordinate with an array of stakeholders.

"I need people who can understand budgets. I need people who can understand human resources. I need people who can write business cases. I need people who can communicate," said Turk.

"Now, notice I didn't say technologists. That's important, too, but in order to get the programs in place to be able to move security forward, I have to have a diverse group of people to be able to present that forward," he added.

Looking beyond granular technology implementations and seeing the larger security environment is important, said Turk. In federated organizations, such as the Commerce Department, collaboration plays a major role in ensuring security, he said.

The ability to share information and understand what's happening across the enterprise is key, said Turk. In Fiscal 2014 the department plans to stand up a department wide cybersecurity situational awareness system called the Enterprise Security Operations Center.

"We want to be able to take the status feeds and provide a dashboard presentation for Simon [Skykman, Commerce CIO], so he can see what devices are covered, what devices have secure baselines, what the patch level is for example, throughout the enterprise," said Turk.

"We can then provide that near-realtime view to Simon and the other CIOs within our federated organization. So, they can see what their security posture is," he added.

Related Articles:
Data security isn't just for the intel community, says Commerce CIO
Commerce to unify continuous monitoring efforts, says Szykman