Lisa Schlosser, the Transportation Department’s associate CIO for IT security, has gained favorable mentions in White House reviews lately for her efforts to tighten IT security, which likely helps to soften the blow of a failing grade on the latest federal security report card.As DoT’s first senior-level IT security official, Schlosser says she is taking a long-term approach to improvements. “The changes we have made were done on a three-year plan to get us to a baseline we are comfortable with,” she says. One of Schlosser’s first moves involved spearheading a concerted campaign to integrate security into the agency’s major lines of business, she says. “Making security a part of the procurement process and the HR processthat’s the kind of groundwork we laid last year,” she explains. The DoT now demands that every technology purchase be tagged with two precautions: Security clauses must be included in every contract, and vendors must undergo background investigations. “This is the first time we integrated security into the capital-planning process, so folks took that seriously, and we spent a lot of time training business unit leaders,” says Schlosser. From that process, Schlosser saw immediately how important it was for security officials to convince agency personnel of the value of their services. “The security folks have to add value to business processes to be taken seriously and for security to be taken seriously,” she says.One way Schlosser’s staff reached out to prove its value was through a license for vulnerability scanning tools. “That way individual operating units don’t have to go out and negotiate to buy the technology. And having one enterprise license across the business units saves millions,” she explains. To make agency employees more serious about security, Schlosser’s staff helped devise a cybersecurity handbook, which requires DoT personnel to sign rules of behavior. Contractors are also served with a set of security policies and guidelines.In the end, such tangible strides toward increased security outweigh the agency’s marks on annual reviews, she continues. “I feel a little more comfortable with our program, and I focus more on that feeling than on the rating. We are implementing a strategy that I think will put us ahead of the game,” she says. Related content news Multibillion-dollar cybersecurity training market fails to fix the supply-demand imbalance Despite money pouring into programs around the world, training organizations have not managed to ensure employment for professionals, while entry-level professionals are finding it hard to land a job By Samira Sarraf Oct 02, 2023 6 mins CSO and CISO CSO and CISO CSO and CISO news Royal family’s website suffers Russia-linked cyberattack Pro-Russian hacker group KillNet took responsibility for the attack days after King Charles condemned the invasion of Ukraine. By Michael Hill Oct 02, 2023 2 mins DDoS Cyberattacks feature 10 things you should know about navigating the dark web A lot can be found in the shadows of the internet from sensitive stolen data to attack tools for sale, the dark web is a trove of risks for enterprises. Here are a few things to know and navigate safely. By Rosalyn Page Oct 02, 2023 13 mins Cybercrime Security news ShadowSyndicate Cybercrime gang has used 7 ransomware families over the past year Researchers from Group-IB believe it's likely the group is an independent affiliate working for multiple ransomware-as-a-service operations By Lucian Constantin Oct 02, 2023 4 mins Hacker Groups Ransomware Cybercrime Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe