Contact Congress: Eliminating the White House CISO Office is Not OK

Suppose that you are a stakeholder in a large organization that handles the most sensitive information imaginable, and that is constantly being targeted by the most capable nation-state attackers. Suppose further, that this organization had no Chief Information Security Officer until five years ago, but that it finally managed to recruit a leader and put together a team – albeit with salaries at a fraction of what one might expect.

Now let’s say that you wake up this week to find that the CISO position has been abruptly eliminated, and that the function has been merged into an adjacent team with insufficient capability, resources, or leadership in IT security. The justification for the shift is unclear, but politics certainly seems at play – with the outgoing CISO penning a public warning that security in this organization is going to hell in a hand-basket.

The above narrative describes accurately what happened this week at the White House. As an American citizen with an intense personal devotion to cyber security, I am appalled at this rash and potentially disastrous decision. And if you care at all about enterprise cyber security, then I hope that you will share in my outrage – even if you admire and support the President. You do not have to reject someone to disagree with their actions.

Dimitrios Vastakis is the now-departed CISO, and you can read his official memorandum here. I believe his salary was roughly $130K, so if he takes a job at some Beltway company in DC, then he will see an increase of five-times that rate. I mention this because one of my graduate students suggested that Vastakis’ note seemed like sour grapes. I suspect nothing could be further from the truth. He'll move to a more lucrative position for sure.

Look – I know that many of you support Mr. Trump, but please set aside the politics on this one, and join me in reaching out to Congress. Below is a letter that you can cut, paste, tailor, and send to your US Senator (or Representative). I’ve written it in a manner that should be appropriate for both sides of the aisle. Congress should hear from our community that this decision to dissolve the CISO position and office at the White House is not OK with us.

The Honorable <insert name>, United States Senate, Washington, DC 20510

Dear Senator <last name>:

As a resident of <insert your state or district>, I wanted to share my displeasure that the White House recently dissolved the Office of the Chief Information Security Officer (OCISO). I believe such action places the Presidential Information Technology Community (PITC) at serious risk of a major IT breach.

I have not heard your official position on this issue, and would request that you make clear publicly that such rash action is inconsistent with best practices in Government IT Security, and in conflict with recommendations from the OA Office of General Counsel (OA GC).

The importance of cyber security in our nation cannot be understated, and your opposition to this action will help to ensure that the White House CISO position and office be immediately re-instated so that cyber threats to the PITC can be prevented.

Sincerely,

<your name, address, phone, email>