Governance & Risk Management

Picking the Cybersecurity Czar

Top Leadership Trait: Ability to "Herd Ducks"
Picking the Cybersecurity Czar
President Obama should choose someone as the cybersecurity czar like John Koskinen, who as the deputy director of the Office of Management and Budget in the late 1990s and helped guide the governments year 2000 remediation efforts, says Tom Stanton, a fellow at the Center for the Study of American Government at Johns Hopkins University.

Koskinen once described his Y2K assignment as herding ducks. "You need somebody in the czar position ... who has John Koskinen's ability to herd ducks, to get these agencies, for all of their turf issues, for all of their infirmities, for all of their distraction to other elements of their mission, to focus on this and get it done."

Stanton knows cybersecurity and government, having authored last year's study, Defending Cyberspace: Protecting Individuals, Government Agencies and Private Companies Against Persistent and Evolving Threats.

Despite the title used by Obama to describe the new White House IT security chief - cybersecurity coordinator - Stanton cautions that the official must possess skills beyond that of a coordinator, and be a respected and influential leader. But he added a cautionary though: "The problem is that czars traditionally, at least in the Russian context, have been really bad managers," he says. "What we need in the American context is sound management of this problem."

A lawyer and a former federal government executive, Stanton serves on the board of the National Academy of Public Administration and chaired its standing panel on executive organization and management. He co-edited Making Government Manageable: Executive Organization and Management in the 21st Century (Johns Hopkins University Press, 2004).

Stanton spoke with Managing Editor Eric Chabrow.

ERIC CHABROW: Creating a highly functional cyber security workforce is quite a challenge. Why so?

TOM STANTON: Cyber is a particularly difficult area. The Department of Homeland Security has tried to stand up a cyber defense unit for a long time, and what one sees is a constant rotation of highly skilled people who really don't know how to work in government, who come into these jobs, get totally frustrated, look around, can make much more money in the private sector, and they're gone. We need to grow a crop of people that understand how to manage government processes, which are different from those in the private sector, and who are willing to stay, despite the potential substantial disparities in income, compared to what they could earn in the private sector. This is the kind of management, the kind of leadership that will be needed, that is much more than a single czar.

CHABROW: Do you have any suggestions as to how to do that, especially when salaries outside of government can be much higher?

STANTON: As somebody who went into government for a five-year stint, I can tell you that having a dynamic leader who is working on exciting projects is a wonderful attraction, regardless of salaries on the outside. And, of course, we now have an economic debacle, which potentially could reduce some of the disparities. Government, under the right leadership, could be a great place to work, say, for the next five years. We don't expect cyber types to be lifers, but it would be great to create a system where people rotate in and out, with the expectation that they will be there for four or five years, and really make a contribution as part of a high-powered team. That would be the way I'd attack the problem.

CHABROW: Please provide some examples that you've seen in government - it needn't necessarily be in cybersecurity - where is some kind of incentive or some kind of challenge that brought people into government?

STANTON: I'd look at the National Institutes of Health, where you have medical doctors who could have earned more on the outside, although they get more than the usual civil service salary. They come in because they want to attack some fundamental health problems. I think of the Center for Disease Control in the same light. We have a number of other projects over the years. I was thinking of the Manhattan Project; the Manhattan Project is interesting. There is an organizational device called the Federally Funded Research and Development Corporation that government used in the Manhattan Project, and other projects when people simply couldn't live with the low salaries. It's essentially a captive nonprofit that works for the government.

I would think cyber would be a natural location for this kind of nonprofit that would be like a contractor but it would work solely for the cybersecurity czar and would give the cybersecurity czar the capacity to promulgate and implement various initiatives, and you could pay people, then, more than the standard civil service salary, and you also could develop a culture that had tremendous dynamism involved.

CHABROW: Another cybersecurity staffing challenge is the number of people out there with the necessary skills. Do you see that as a problem? And how would you surmount that?

STANTON: I guess people need to know, coming in, what to expect about government. It would be very useful to have systematic training programs. I'm not the only one who has sat in a room when a political appointee walks in, makes an announcement, "I have today decided the following ..." and everybody in the room, all the career civil servants and me, understood there was no linkage between what they said and what was going to happen.

We need to train our political appointees coming in, particularly those in an area like cyber, where we want them to stay, that this is a real job, and if you are going to succeed, here are some of the tools you need. It could be a three-week training course, it could be very intensive, bring old bureaucrats in, and bring people in to explain both their frustrations and their successes, case studies are a natural here, to show how people have succeeded. That would be the first step that I would take, to make sure that when people take the job, they understand what the job is all about.

On the corporate side, you have the same problem when your CIO may be technically trained, but may not have the people skills to prevail on top management. You need to train those CIOs to have both the technical skills and the people skills if they are going to do their jobs right, and the same is true when somebody comes into government.

CHABROW: In answering the question, you mentioned political appointees, and maybe we're talking about two different things. I was thinking in terms of the technical experience that people are hired in government to do, and the shortage of that. Do you think that is a problem?

STANTON: In today's economy it will be easier. What government has to offer is the opportunity to be at the leading edge of solving important national problems. I view people coming into a cyber unit as having the same mentality. We bring them in because they could really help solve big problems, and that's a challenge for a lot of people who may not necessarily be motivated just by money.

CHABROW: How do you implement all of this?

STANTON: Leadership. Appointing the right person. I mentioned this kind of nonprofit unit, so you can at least pay a little better salaries, and you can also develop much more esprit because it won't be subject to all of the more restrictive government rules, because it will be a nonprofit, rather than an agency of government, but it will be serving a government agency. Then, put somebody in charge of that that everybody respects, who knows how to manage and can lead a team like that.

And the second step, I'm thinking of a former Deputy Director of the Office of Management and Budget, John Koskinen, who helped solve the Y2K problem for federal agencies. He described his role as herding ducks. You need somebody in the czar position, for example, who has John Koskinen's ability to herd ducks, to get these agencies, for all of their turf issues, for all of their infirmities, for all of their distraction to other elements of their mission, to focus on this and get it done.

There is a huge element of leadership at a number of levels, of the cybersecurity effort, in order to make it work. Somebody has got to be willing to listen. For example, trying to influence the private sector. You want to talk to the private sector. You want to find out how can we get the best progress by imposing minimal burdens? And, you want to understand tradeoffs, and you want to understand sector by sector. Where are the weak points? What needs shoring up first? This is sort of an ability of somebody, to sit down and listen to a bunch of stakeholders. It isn't a paper exercise, it's a real exercise. Again, it's leadership. You begin to galvanize people to move forward. You create incentives for that to happen.

CHABROW: It sounds as if the cyber czar should be someone who is an implementer, that the White House should have operational control over government IT security.

STANTON: Operational control is hard, because of the way the laws are written and the way the congressional committees work. But, at least it should be somebody who can bring the agencies together and create incentives, maybe using the Office of Management and Budget and their control over the budget process, to induce agencies, either lead them or support them where they have weaknesses, or create incentives where they are simply being obstinate, different strokes for different folks, depending where the agencies are, in terms of their willingness and their capacity. It should be somebody who knows government and knows how to implement.

You are absolutely right. This is an area where you don't want to be "enny wise and pound foolish, the same way that President Obama moved forward with health information technology, and committed substantial resources in the stimulus bill. This is an area where it is worthwhile to commit substantial resources, as long as we are spending wisely, because we can save an awful lot of money on the back end through problems that we avoid.

About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.