When Kevin Charest last October became chief information security officer at the Health and Human Services Department, his first order of business was to tackle governance.
With a highly federated model featuring operating divisions spread throughout the country, Charest wanted the department’s CISOs to be able to speak with one voice, along with sharing best practices and lessons learned.
To fix that, Charest instituted a departmentwide CISO council that — unlike the working group that preceded it — features its own formal charter, voting rules and standards. It’s also been able to attract the CISOs from each operating division instead of executives a little lower on the CISO food chain like the working group.
Charest said the council has been in place since January and focuses on broad-based initiatives where there is a security component.
“Before the council, we basically had a loose group of people talking to each other but not able to speak with one collective voice,” Charest said. “Now, we’re all able to get on the same page as a department, and that gives us a better way to speak with the departments’ CTOs and CIOs as well.”
Charest said he’d like to see the federal government do the same thing. He said department CISOs are already getting together across agencies to discuss information security concepts of operation and challenges such as continuous monitoring.
“The reality is, no one is in a vacuum and we can’t just rely on DHS or one entity to handle the government’s larger security problems,” Charest said.
As for his priorities, Charest said they fall in line with department Chief Information Officer Frank Baitman, who is looking to create a certain technology baseline for the department.
Charest said he’s doing that in the security space and wants each part of HHS to be at a certain minimum security level and then ultimately, bring that level up across the department
“Some components have a robust information security program, some do not, and still others are in the middle,” he said. “There’s been no baseline, but instead the individual program’s success has been dependent upon those CISOs who were better at getting resources than perhaps some of the others. The squeaky wheel was getting the grease, but the problem is everyone needs the grease.”
Charest made the point to the operating divisions that he believed a significant percentage of the cyberinfrastructure could be commoditized. The rest, he said, depended on the individual division’s mission.
The key, he said, is coming to an agreement on what comprises that percentage to better facilitate activities such as dashboarding, trending and simply understanding the cyberenvironment.
As for priorities, Charest said one of his biggest is securing the cloud and the department has been one of the earliest players in the Federal Risk and Authorization Management Program.
Charest said just last week, HHS completed an agency-sponsored third-party authorization for Amazon Web Services in what he believes is the first in the federal government. That will allow other federal agencies to use the same model HHS, working with FedRAMP, developed and help them get to the cloud quicker.
“We’re trying to break new ground,” Charest said, “but the biggest part is that every part of HHS was on board. They’ve all got skin in the game, so instead of this being a mandate from the department HQ office, this is something they’ve all already bought into and that’s a huge key.”