CISO , Governance

10 Facts About New Federal CISO Position

Candidates Face Arduous Application Process
10 Facts About New Federal CISO Position
Federal CIO Tony Scott will be the new federal CISO's boss.

Got what it takes to be the first U.S. federal government chief information security officer? If so, President Obama has a job for you.

See Also: Detecting Insider Threats Through Machine Learning

Obama announced Feb. 9, as part of a multifaceted cybersecurity initiative, that he's creating the post of federal CISO to "oversee [cybersecurity] activities across agencies and across the federal government, as well as make sure that the federal government is interacting more effectively with the private sector, which obviously contains a huge amount of vital and critical infrastructure, and has to be protected."

According to the White House, the job requires the ability to implement a cybersecurity vision in a continuously changing environment; lead people toward meeting that vision; drive results by applying technical know-how, analyzing problems and calculating risk; demonstrate business acumen by strategically managing people, finances and information resources; and build coalitions in and out of government, domestically and abroad, to achieve common goals.

"The federal CISO is the recognized federal expert and authority on policies, procedures, guidance and technologies impacting the federal government's cybersecurity program," according to a description on usajobs.gov. "The federal CISO establishes the direction of federal cybersecurity policy and strategy; to include management practices and budget priorities; and for overseeing implementation across the entire government."

Federal CIO Tony Scott describes the responsibility of the new federal CISO.

The Job

Here are 10 facts about the newly created position. The federal CISO will:

  1. Report to the federal CIO, Tony Scott, whose statutory title is administrator of E-Government and IT. The new CISO will be housed in the Office of E-Government and IT within the White House Office of Management and Budget.
  2. Receive an annual salary of between $123,175 and $185,100 (compared to the average chief security officer salary of $140,250 to $222,500, according to the Robert Half Technology 2016 Salary Guide).
  3. Serve as the federal government's lead cybersecurity strategist in the continuing cybersecurity risk assessment of the federal IT environment by employing widely accepted frameworks.
  4. Act as the liaison between the White House and the departments of Homeland Security and Defense, the Office of the National Intelligence Director and agencies' CISOs for all federal cybersecurity activities.
  5. Receive top secret/sensitive compartmented information security clearance. The federal CISO will handle information concerning and derived from sensitive intelligence sources, methods and analytical processes.
  6. Meet certain qualifications to be certified by an Office of Personnel Management review board to receive "senior executive service" designation. A senior executive service position is somewhat analogous to a high-ranking military officer.
  7. Chair the Federal CIO Council's Information Security and Identity Management Committee as part of his or her duty to effectively coordinate and align agencies' CISO IT security governance.
  8. Establish a governmentwide program to address the recruitment, retention and training of cybersecurity experts, with a focus on not just technical experts, but also versatile professionals who can effectively expedite IT along with the government's mission and business functions.
  9. Design, implement and maintain effective cybersecurity performance measures for the federal government and lead the effort to maximize the value and effectiveness of security performance measures associated with the Federal Information Security Management Act, the law that governs federal IT security.
  10. Offer suggestions to the annual president's budget that reflect cybersecurity priorities across federal agencies and ensure coordination and integration with the overall federal IT budget process.

Scott, in a White House briefing, says he suspects the new CISO would have face time with the president.

Proving You're Right for the Job

The application process to become the first CISO is an arduous one, involving the submission of a narrative statement that addresses the candidate's qualifications. The statement should include examples of experience, education and accomplishments.

Prospects must demonstrate experience in working with executives and managers on the identification of large enterprise business requirements, understanding cyberthreat activities and methodologies and establishing risk-based cybersecurity policies, strategies and measures to address current and emerging cyberthreats.

Applicants must show they have senior-level experience in successfully implementing cybersecurity policies, strategies, procedures and guidelines that address the full lifecycle of information technology services development and delivery, in large enterprises, to include requirements for integrating security requirements into provisioned services agreements and other contractual arrangements.

Technical Know-How a Requirement

They also must show technical expertise in understanding complex, interconnected, modern Web and other current technology platforms/system architectures, software development practices and cybersecurity solutions; securing enterprise IT architectures, networks, systems, data and applications, to include mobile and customer facing applications; and leading responses to large-scale cyber incidents.

A degree in information management or computer science is highly desirable.

The deadline to apply for the job is Feb. 26.


About the Author

Eric Chabrow

Eric Chabrow

Executive Editor, GovInfoSecurity & InfoRiskToday

Chabrow, who oversees ISMG's GovInfoSecurity and InfoRiskToday, is a veteran multimedia journalist who has covered information technology, government and business. He's the former top editor at the award-winning business journal CIO Insight and a long-time editor and writer at InformationWeek.




Around the Network