Chief of the Year: Information Security
John Streufert, chief information security officer, State Department.
On June 15, Government Executive is featuring the government's chief officers of acquisition, finance, human capital, information and information security in a special issue of the magazine. This year we've identified individuals to highlight as Chiefs of the Year -- not necessarily because they are unsurpassed in their fields, but because their peers have much to learn from their experiences.
Chris Flynn
John Streufert
Chief Information Security Officer
State Department
John Streufert is ahead of the game when it comes to managing cyber threats. While other agencies are just starting to shift from the costly annual reports required by the 2002 Federal Information Security Management Act, under Streufert's leadership, State is evaluating its information technology systems every two to 15 days and has reduced security risks by 90 percent.
State's continuous monitoring process relies on a grading system that assigns values to threats, such as missing security patches or failed security compliance checks. Each embassy or office is evaluated on its ability to mitigate those risks, and its performance is made public for the rest of the department to see. In the upcoming months, Streufert's team expects to make top marks three times more difficult to achieve.
"Everyone in the organization gets graded on their progress in the last 30 days, and ambassadors know their rank across the department and within their region," Streufert says. "We're leaning on the fact that everyone wants to do the right thing but just can't figure out which problems to address first."
Streufert incentivized action by providing performance reviews that are shared across the department, says Matt Coose, the Homeland Security Department's director of federal network security. "I'm a big fan of John's approach to leveraging human nature to drive progress. It's natural human behavior to be competitive and want to succeed," he adds.
According to Streufert, better collaboration and a departmentwide emphasis on security is another significant factor in State's success. In only 11 months, his plan integrated the work of more than 4,000 employees across 24 time zones to achieve the 90 percent reduction in the number of security risk points on personal computers and servers at overseas sites and 89 percent at domestic sites.
"The idea that you could bring an organization together to work in harmony for these results is one of the important take-aways from the State Department experience," he says. "All that was necessary was to set the goals and set up a mechanism so people could concentrate their energies on the most serious problems."
And Streufert isn't keeping those methods to himself. He has shared State's documents and tools with other agencies, and he regularly works with CIOs and CISOs across government to troubleshoot their monitoring processes.
"He's giving away the stuff he built," says Alan Paller, director of research at the SANS Institute. "He spent the money, but he's happy to help. He's not asking people to buy software."
NEXT STORY: Lawmakers criticize growth of federal workforce