Pentagon CIO Discusses His Security Plans

Posted on by Tony Kontzer

No one in the room was surprised when Terry Halvorsen, CIO of the U.S. Department of Defense, said during a RSA Conference forum session on Wednesday, "We're not easy to work with."RSA Conference 2015

With 1.4 million active-duty military personal to support, a roster of 500,000 contractors, and a requirement to answer to Congress, the DoD is, to put it mildly, a unique enterprise.

"I’m Fortune Zero," Halvorsen cracked. "Everyone else is smaller."

The DoD's combination of size and public accountability presents a variety of challenges, especially on the security front. For instance, mobile security to most organizations implies ensuring that employees using smart phones, tablets and notebook computers from remote locations aren't introducing risk. For Halvorsen, that's small potatoes compared with securing an entire division of troops that has to be moved somewhere for 24 hours before moving again.

"If I can solve the mobility problem for the division I want to pick up and move, I bet I can solve it for the smartphone," Halvorsen said.

The cloud, meanwhile, is an area of difficulty for the DoD because of the sensitive nature of the department's data. If a chunk of that data were to be lost or compromised, not only would there be ample press coverage; there also would be Congressional hearings. Halvorsen made it clear that the DoD's partners would have to join in facing the music.

"You have to assume some of the liability if you want the DoD's business," he said.

There's also the little matter of staffing, which is a conundrum for an organization that cannot compete with the type of compensation private sector employers can offer. Financial limitations make it difficult to attract the top talent, and given the state of security and the value of the DoD's data to malicious actors, talent is what the DoD needs.

"This is going to be a struggle for DoD," Halverson admitted. "At some point we're going to have to address the benefits-salary equation, and we'll need congressional help on that."

As if that's not enough, Halvorsen also is contending with an evolving geo-political climate in which his partners are constantly changing. Just a couple of decades ago, it would have been unthinkable for the DoD to parter on military operations with Russia or China.

Today, however, that kind of collaboration is commonplace, and the onus is on Halverson and his team to support it with systems that enable global, multilingual sharing of data in way that countries can be sure that their data is only accessible to the partners they want to see it.

"I've got to have a mission partner environment that I can stand up very quickly," he said.

Despite these numerous challenges, there is reason for optimism in the form of the long-awaited Joint Regional Security Stacks, a sort of security clearing house that will route traffic from numerous DoD facilities to a centralized nerve center. The setup is expected to improve the military's ability to respond to incidents. The JRSS is moving through the testing phase, and Halverson said that by the end of 2017, all of the military services should be live on the system. In the meantime, there are other things on his to-do list, such as tapping big data capabilities to make the DoD more predictive in its approach to security.

But what Halverson wants more than anything is to improve the way the DoD partners with technology providers, security vendors in particular. Specifically, he wants to make the department more open to sharing insight into its security profile.

"I want you to give me better pricing and better solutions, and to do that, I have to give you better data about the environment," Halverson said. " I get that. I can't give you all the data you want, but I have to give you better data in order to get a better analysis of what we're doing."

That doesn't mean he'll be able to tell next year's RSAC crowd that, "We're easy to work with," but any movement in that direction will certainly be a welcome change.

Tony Kontzer

, RSA Conference

BYOD cloud security

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment.  Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA® Conference, RSA Security LLC or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community