• United States



by CSO Contributor

Case Study: Department of Transportation

Mar 01, 20032 mins
CSO and CISOData and Information Security

Lisa Schlosser, the Transportation Department’s associate CIO for IT security, has gained favorable mentions in White House reviews lately for her efforts to tighten IT security, which likely helps to soften the blow of a failing grade on the latest federal security report card.

As DoT’s first senior-level IT security official, Schlosser says she is taking a long-term approach to improvements. “The changes we have made were done on a three-year plan to get us to a baseline we are comfortable with,” she says. One of Schlosser’s first moves involved spearheading a concerted campaign to integrate security into the agency’s major lines of business, she says. “Making security a part of the procurement process and the HR processthat’s the kind of groundwork we laid last year,” she explains. The DoT now demands that every technology purchase be tagged with two precautions: Security clauses must be included in every contract, and vendors must undergo background investigations.

“This is the first time we integrated security into the capital-planning process, so folks took that seriously, and we spent a lot of time training business unit leaders,” says Schlosser. From that process, Schlosser saw immediately how important it was for security officials to convince agency personnel of the value of their services. “The security folks have to add value to business processes to be taken seriously and for security to be taken seriously,” she says.

One way Schlosser’s staff reached out to prove its value was through a license for vulnerability scanning tools. “That way individual operating units don’t have to go out and negotiate to buy the technology. And having one enterprise license across the business units saves millions,” she explains.

To make agency employees more serious about security, Schlosser’s staff helped devise a cybersecurity handbook, which requires DoT personnel to sign rules of behavior. Contractors are also served with a set of security policies and guidelines.

In the end, such tangible strides toward increased security outweigh the agency’s marks on annual reviews, she continues. “I feel a little more comfortable with our program, and I focus more on that feeling than on the rating. We are implementing a strategy that I think will put us ahead of the game,” she says.