Opinion

What Should WH Cybersecurity Coordinator's Job Description Look Like? One Man's View

Part 2 of Ariel Silverston's "Mission Impossible" series: If President Obama's new cybersecurity coordinator is to have any real impact, there are a few things that will need to be worked into the job description.

By Ariel Silverstone, CISSP

Page 3

During the horrific attacks on 9-11, the terrorists targeted some of the most visible symbols of United States pride. The twin towers, standing tall in our most visible city, represented to some the wealth, reach and power of our United States. The Pentagon represents the might and force of our military power.

Imagine what would have happened if the targets in New York City would have been slightly different: What if the New York Federal Reserve Board, with its wealth of nations in gold bullion, was hit? What if a certain data center "hoteling" point was targeted?

These are not rhetorical questions. These are real, soul-search demanding questions that should be researched, addressed, and protected. The loss of life answer will not be easily known. The financial and transactional loss, and with it, the following damage to our nation (and indeed, the global economy) would have been disastrous.

Task 8: Demand disaster preparedness and business continuity programs will be developed, maintained, tested and updated by all identified sensitive sectors, with the aid, support and verification of the United States government.

As the task above, while obvious in its necessity to most, is costly, I urge that a public debate on its priority, essential nature, and cost mitigation, shall take place. I expect this task to be a very hard "sell" to many elements in the private sector.

Since more and more of our information business is handled by companies and networks that are global in reach, I would recommend a more active participation in worldwide standards organizations. Chief among those is the International Standards Organization, the ISO.

Some of the excellent work performed in the United States, for example, in the fields of disaster recovery, be it covered under Continuity of Government (COG), Continuity of Operations (CoOP), or civilian data recovery (for example, the work by the Disaster Recovery Institute), can contribute vastly the developing International Standard that will come out of the British Standard (BS) 25999. Likewise, the International Standard 27001 and its related family can be applied to global organizations. These standards are easily audited and have the additional benefit of more easily available people resource to implement.

I applaud the National Institute of Standards and Technology (NIST) participation in these efforts, and in particular in the excellent work done on revision 3 (draft) of the NIST Standard and the revision's "Introducing a three-part strategy for harmonizing the FISMA security standards and guidelines with international security standards including an updated mapping table for security controls in ISO/IEC 27001"