by clicking on the page. A slider will appear, allowing you to adjust your zoom level. Return to the original size by clicking on the page again.
the page around when zoomed in by dragging it.
the zoom using the slider on the top right.
by clicking on the zoomed-in page.
by entering text in the search field and click on "In This Issue" or "All Issues" to search the current issue or the archive of back issues respectively.
by clicking on thumbnails to select pages, and then press the print button.
this publication and page.
displays a table of sections with thumbnails and descriptions.
displays thumbnails of every page in the issue. Click on a page to jump.
allows you to browse through every available issue.
FCW : September 15, 2015
Need to know 22 September 15, 2015 FCW.COM of the breaches. He said her performance was part of “a troubling pattern of incompetent management from Obama appointees selected more for their political loyalty than for their expertise, skill or leadership abilities.” Geraghty highlighted Archuleta’s lack of an IT or cybersecurity background and claimed she did not appear to have “any expertise in the vitally important human resources and record- keeping functions OPM is supposed to serve.” But she’s no outlier. At the 24 agencies gov- erned by the Chief Financial Officers Act, most agency heads have legal, political and/or pub- lic administration backgrounds. There are a few exceptions: Secretary of Energy Ernest Moniz has a background in physics and has served on technology and security commissions; Secretary of Defense Ashton Carter has a background in technology, physics and security; and National Science Foundation Director France Córdova has had extensive scientific training. In light of the OPM breach, should the old conventional wisdom — that a good leader knows how to lead people but not necessarily how to do those people’s jobs — go out the window when it comes to cybersecurity? It’s still about people At the end of the day, leadership and management skills are still the key. “Surround yourself with the right people who have the right technical skills, and ask the right questions” was Williams’ pre- scription for agency heads. “Be willing to hold people account- able.” Leaders need to “understand [cybersecurity and IT] at the basic level,” he added, but they don’t need an extensive cybersecurity background. “Large hospitals are not run by doc- tors,” he said by way of an analogy. Patrick Malone, executive-in-residence at American Univer- sity’s Department of Public Administration and Policy, said, “I haven’t ever seen any [federal employees] complain, ‘Dammit, I wish my boss knew more about some Windows 10 update.’ What people are crying about is their agency’s culture.” According to Malone, feds say they need a culture of “com- passion, trust, learning, collaboration and caring.” Good leadership might also be a key to attracting and retain- ing cybersecurity pros. Those skills are in short supply nation- wide, and an approaching spike in the numbers of feds eligible for retirement threatens to widen the government’s existing cybersecurity skills gap. Some observers say one of the mistakes that undermined OPM was putting cybsersecurity in the hands of program office employees who did not have the relevant background. “Soft skills” — though Malone said he is no fan of the dismis- sive connotations of that adjective — unlock “the real magic of leadership”: attracting the right talent, encouraging them to give their best and retaining them. “If you create the right environment, the tech skill will come,” Malone said. “The only way we’re going to get the techni- cal talent — and the only way they’ll stay — is if leaders make them want to stay. Otherwise, you’re going to lose them to IBM, lose them to Apple.” Know the risks Gregory Wilshusen, director of infor- mation security issues at the Gov- ernment Accountability Office, said agency heads need to have a core understanding of what kinds of sen- sitive information their agency collects, how it’s protected, the damage that would be done if the information is com- promised, and who controls and interacts with the agency’s systems in the cloud. “Just because you start to migrate systems to the cloud doesn’t mean you’re absolved of responsibility,” he said. In the future, it shouldn’t be a requirement that agency heads have deep IT knowledge. If they do, “that would be a bonus but not the determining factor,” Wilshusen added. So would OPM have done a better job of detecting and responding to the breaches if a tech-savvy leader had been in charge? Williams said yes, adding that someone who understood the risks would have immediately cut off KeyPoint Govern- ment Solutions’ system access when it became clear that the contractor had been hacked. But Malone said the leader’s role is to foster an open environ- ment, not necessarily understand all the technology. In such an environment, an agency employee who had a solution to the problem would have felt comfortable bringing it up, he added. Wilshusen said the public administrators and lawyers who currently lead agencies are probably capable of picking up the tech knowledge they need as they work, and they’re likely doing so now. “I would imagine there’s a lot more on-the-job training after what happened to Secretary Archuleta,” he said. Catherine Lotrionte went further, however. “Even if you work at the Department of Agriculture, you need to understand securing data,” said Lotrionte, who directs Georgetown Uni- versity’s Institute for Law, Science and Global Security. “You need to have a security-minded person running every single organization or at the top level, even if you have nothing to do with national security secrets.” “Unfortunately, most of these people do not,” she added. “That’s what they said — the OPM director didn’t think of security. Are you nuts?” n “If you create the right environment, the tech skill will come.” PATRICK MALONE AMERICAN UNIVERSITY 0915fcw_016-025.indd 22 8/24/15 4:26 PM
August 30, 2015
September 30, 2015