Poor Michael Daniel. The White House cybersecurity coordinator and the man who “leads the interagency development of national cybersecurity strategy and policy” is taking a beating in the press. In a recent interview with federally-focused media outlet, GovInfoSecurity, Daniel defended his lack of security technology experience with the following statement:
"You don't have to be a coder in order to really do well in this position. In fact, actually, I think being too down in the weeds at the technical level could actually be a little bit of a distraction. You can get taken up and enamored with the very detailed aspects of some of the technical solutions and the real issue is looking at the broad strategic picture."
Security professionals are lambasting Daniel for dismissing technical skills in the highly technical cybersecurity arena while others credit Daniel for trying to bring cybersecurity up to a risk, policy, and program level.
I pride myself on taking a position, but in this case I think both camps are right and both camps are wrong. Allow me to elaborate:
- Daniel is right to suggest that cybersecurity isn’t just a technical issue and we do need to bring the discussion up to a level that business executives, legislators, and average citizens understand risk so they can choose appropriate mitigation actions, enact legislation, and behave appropriately. ESG is working with corporate boards in a similar manner.
- Daniel’s statement was a tad myopic about the need for technical security skills at a detailed level. I’m not suggesting that the White House cybersecurity coordinator should be a penetration tester or ethical hacker, but then again, there’s a reason why the director of the Center for Disease Control is a physician. Policy and technical knowledge are what’s needed in a leadership position of this magnitude.
Here’s another analogy that may hit closer to home in the enterprise security community. Large organizations employ CISOs and other team members like security analysts, security engineers, etc. You don’t expect the CISO to do feature comparisons of AV software or write firewall rules. Instead, CISOs are employed to manage cyber risk while supporting business needs. Having said this, you still need an adequate number of folks with the technical chops to implement controls, detect attacks, and monitor what’s happening across the whole enchilada – Layer 2 through 7.
So CISOs may not be the people in the weeds, but the best CISOs I know have the technical aptitude to be able to navigate the weeds, make information-driven decisions based upon activity in the weeds, and translate what’s happening in the weeds to the business executives.
In a blog I posted last year, I suggested that the federal government really needs 2 cybersecurity czars: One with the inside-the-Beltway experience to herd cats in Washington, and one to work externally with security technology vendors and the public. My assumption was that each of these people would also need deep technical skills. With all due respect to Mr. Daniel, I stand by this assertion. Yes, we someone to champion and facilitate cybersecurity policy and action out of Washington, but it better be based upon sound technical facts rather than rhetoric, partisan politics, or lobbying dollars.