The Influencers: John StreufertDeputy CIO for Security, Department of State
Deputy Chief Information Office for Security
Department of State
Why He's an Influencer
Since July 2008, Streufert has headed the State Department's implementation of continuous monitoring of its worldwide information networks, significantly reducing material weaknesses in State's IT systems. By employing a scoring mechanism known as the Risk Scoring Program he helped devise, the amount of risk to State's IT systems was reduced by 90 percent in one year.
The likes of Federal CIO Vivek Kundra and Sen. Tom Carper, author of FISMA reform legislation, hold up Streufert's work as a model on how other agencies should seek new and more realistic ways of judging IT security, in contrast with current practices derived from the Federal Information Security Management Act that emphasizes so-called "paper compliance" with Office of Management and Budget directives.
Streufert has served in technical management roles for the Agency for International Development, where he began implementing some of the practices adopted at State; the Federal Crop Insurance Corp.; Naval Shipyards and the Naval Sea Systems Command. In 2004, Streufert received the Distinguished Presidential Rank award and in 2005 he attained the highest IT security score of the federal government as assessed by Congress. Streufert joined the State Department in July 2006 as deputy CIO and chief information security officer.
What's Said About Him
John Gilligan, former Air force and Energy chief information officer:
"John Streufert ... understands how to balance security with other mission objectives. He's not single focused; security is not the only thing State Department's IT group is trying to achieve. He's taken a very practical approach. He's not just trying to follow the law or the guidelines that NIST has put out. He's trying to improve security, and he trying to look how to do that in most cost effective way, sort of a CIO perspective on where I can get the most benefit.
"What's unique about John Streufert is that he has demonstrated how to use enterprise visibility and enterprise scoring as a way of encouraging the highly distributed organizations in the State Department. There are lots of embassies that technically do not come under the direct control of CIO, yet by providing automated assessments and providing visibility and sending letters to the IT folks and ambassadors, saying this is your score and these are your problems, he's been able to make dramatic progress in terms of getting them to focus on these important security issue."
Sen. Tom Carper, D.-Del., on the Streufert-led IT security real-time monitoring initiative at State:
"Instead of spending money on ineffective paper-based reports, the State Department decided to focus on developing a system that monitored their global networks on a continual basis. ... This was achieved by developing a system that makes sense, uses effective metrics and holds people accountable. In essence, the Department of State can prove they have better security at a fraction of the cost."
In His Own Words
On FISMA and beyond:
"What the current law concentrates on are snapshots of processes and compliance. No one can argue that there is zero benefit from this. There is a certain benefit to know what is connected to the network."
"When I think what has happened over the last half a dozen years is that the security environment is changing so rapidly that some ongoing measurement of where progress is being made and lowering risk is also seen to be something very valuable to include. Almost all of the new proposed pieces of legislation that have been introduced or are now being evaluated ... respond to the fact that the security environment has become more dynamic and that some combination of more frequent scanning or more frequent penetration testing will undoubtedly be helpful to protect the .gov networks."
On State Department continuous monitoring program:
"We are constantly taking these snapshots and highlighting what the very worst risks are at the top of the pile for our security professionals to change. ... When these worst risks were [brought] to the attention of security managers - there can be dramatic changes of risk getting rid of the worst problems first so that is probably a benefit of having the frequent scanning in combination with the highlighted attention to the worst risk."
"The process of having a dashboard and continuous scanning gives a chance for not only the technical professionals at any particular location for the Department of State, an embassy or for the manager of a particular bureau in Washington, to know exactly where they are, both individually against these defined criteria, and also how they rack up in standing against their peers."
GovInfoSecurity.com Content Featuring Streufert:
- Interview: Leaving FISMA in the Dust: A True Metric for IT Security
- Interview: Putting Consensus Audit Guidelines to Work
- Automated FISMA Reporting Tool Unveiled
Other The Influencers Profiles