Yesterday's congressional hearing on Obamacare's faulty Web site gave CGI and the other federal contractors a chance to explain themselves. Instead, we saw a lot of finger-pointing and blame-shifting. One particularly egregious moment had QSSI Executive Vice President Andy Slavitt downplaying his company's responsibility for securing the information in his system.
"Our systems don't hold data," he quibbled. "They just transport data through it."
"You don't have to hold it to protect it," Rep. Mike Rogers (R-Mich.) fired back.
In Slavitt's defense, data security may not have been an explicit feature of QSSI's federal contract. But the fact that he thought this dodge would fly says a lot about executives who work with some of the nation's most sensitive digital infrastructure. They just aren't equipped to understand the weaknesses that make their systems vulnerable to cyberattacks.
Safeguarding machinery, even if it's digital machinery, can seem like busy work. But in fact, as a new set of cybersecurity guidelines crafted by industry leaders and released by the government points out, effective IT security calls for a great deal of buy-in from top-level officials. They don't just set an example for the rest of the organization when it comes to digital hygiene; they're sometimes the only ones with enough power and authority to change a company's security culture. Northrop Grumman's chief information security officer, Michael Papay, routinely tries to hack his own employees' e-mail accounts — which, he says, has made them more aware of the dangers of e-mail phishing scams.
"This is not an area where [companies in the same industry] are necessarily competing against each other," Papay said at the first workshop in March to design the guidelines. "We may fight like cats and dogs over procurement contracts, but. … If my information security network is infiltrated, it's likely theirs will be as well, because we carry some of their key information."
But there's only so much a CISO can do without being supported by the other C-suite execs around him. That's why the draft cybersecurity guidelines, which were released earlier this week, ask readers at the outset to make sure cybersecurity risk is "appropriately integrated" into overall business risk and that the document successfully provides "the tools for senior executives and boards of directors to understand risks and mitigations at the appropriate level of detail."
In plain English, the private sector is really concerned about its own executives who foolishly accept gaps in online security because they don't think it's their responsibility. Slavitt falls right into that category.