The main goals of the forum were to gain a better understanding of each organization and how they operate, discuss best practices on how they are making the capabilities they deliver more secure, and identify collaboration opportunities between the CISOs. Also in attendance were the Department of the Navy chief information security officer (DON CISO) and the deputy branch head, compliance branch, cybersecurity section of the command, control, communications, and computer division for the deputy commandant for information at Headquarters Marine Corps.
A CISO’s job is to connect the technical cybersecurity component of a command, such as addressing a tasking from Office of the Chief of Naval Operations or Fleet Cyber Command, with the business side of the enterprise including implementing strategy, enforcing policies and ensuring compliance. The DON CISO position is one of four relatively new directorates that fall under the DON chief information officer (CIO) and special assistant to the secretary of the Navy for information management. The others are chief technology officer, chief data officer and chief digital strategy officer.
While the SYSCOM CISOs had met individually before, they had never come together for a day-long forum to discuss how to support their common mission.
“At the end of the day our mission is protection from lethality,” said Chris Cleary, DON CISO. “As CISOs, we need to bring threat and mission awareness into our jobs every day to support our customers by hardening their systems, by making them more secure.”
The forum began with a briefing from each SYSCOM that covered their responsibilities, organizational construct, domain challenges and campaign plans. The afternoon covered more targeted topics including:
-Cultural change and the workforce
-Defense industrial base and supply chain risk management
-Cybersecurity Maturity Model Certification and the acquisition process
-Risk Management Framework implementation
-Alignment in reporting from cyber planning and response centers
“I think the most important thing I can take from this meeting is learning how other organizations are doing business,” said Jeremy Hyland, CISO, Naval Sea Systems Command. “This is such an important exchange of information for all of us who are in these relatively new [to the Navy] positions. I know I will take many lessons learned back to my command.”
The inaugural meeting came to fruition due to the dramatic increase in cybersecurity threats and focus on the Navy’s ability to proactively protect networks, systems, applications and weapons systems. As the Navy’s first CISO, Cleary also saw the need to form a sense of community to provide support and collaboration for those in the CISO role.
“Anytime you get SYSCOMs collaborating where there are touchpoints between capabilities we produce and how they are implemented in the fleet, the fleet benefits,” said Mark Compton, NAVWAR CISO. “You get better weapons systems to start with, improved support for those, and you are able to balance the approach to cybersecurity as it relates to weapons and command, control, communications, computers and intelligence systems.”
The group also examined the role a CISO plays to champion the cultural change needed in the Navy, where personal commitment to cybersecurity is required to gain access to the network. According to the recently released DON Information Superiority Vision, “we must weave the information environment into every Sailor, Marine, and civilians’ career paths, educational opportunities and exposure to advanced technology.”
“When I stepped into my current position just a few months ago, I quickly learned that CISOs are the cybersecurity glue that will hold all the CIO shops together at the echelon II level,” said Tonya Nishio, command information officer for NAVWAR, in her opening remarks to the group. “Coming together today is a critical step to getting more aligned so we can be more impactful to our organizations and to the Navy as a whole.”
The next iteration of this forum will include additional personnel, such as information system security managers and officers, to broaden the discussion. There is also the potential to have a similar forum to sync up with CISOs from other services as well.