How FDIC rebounded from major cyber incidents

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Ask the CIO’s audio interviews on Apple Podcasts or PodcastOne.

Two years after the Federal Deposit Insurance Corporation endured as many as six cyber incidents over the course of eight months, the changes in policies and procedures have demonstrated success.  But with cybersecurity, every chief information officer knows success is short lived.

This is why Howard Whyte, the FDIC CIO, brought in a third party expert to help develop a roadmap to further keep his agency’s data and network secure.

“We have taken action to address each and every one of those, I call, advisories provided to us. We continue to align ourselves with the cybersecurity framework maturity model. We are looking at where we are today and where do we want to be,” Whyte said on Ask the CIO. “We have taken action to deploy capabilities to detect data leakage, to detect malware. The list of things that are outlined as cyber threats we look to employ capabilities to ensure our folks are trained, we have processes to detect and also to recover.”

Howard Whyte (right), the FDIC’s chief information officer, tells Federal News Radio’s Jason Miller about a third party assessment of the agency’s cyber posture.

Whyte said these efforts are complimentary and on top of the Homeland Security Department’s continuous diagnostics and mitigation (CDM) program and other cyber tools.

Whyte, who came to the FDIC in January 2017 as the chief information security officer and became CIO in October, said he took on a broad review of the agency’s policies, practices and procedures around cybersecurity, including risk management and basic cyber hygiene due diligence.

One big challenge when Whyte came to the FDIC is he was the third CIO in three years with the other two leaving under unfortunate circumstances.

Whyte said FDIC is trying to move toward to the top of the cyber maturity model.

“We are actually conducting an external, independent assessment of our cyber capabilities this year. Then we will improve or try to attain the score that has been set by Federal Information Security Management Act (FISMA) and where we fall short, we will continue to take action over the next months, years to continue to make improvements,” he said. “It’s in the planning stages. It’s looking at all of the controls listed, I think there are 108 or more, and then doing an assessment of where we are with those 108 controls, and creating a dashboard so we have the transparency needed not only for the CIO organization but to our customers as well because they want to know how well we are doing to protect the information systems they depend on to execute their mission.”

Whyte, like many CIOs, must find the right balance of controls. No organization can implement every FISMA control because of the potential impact on the mission.

He said FDIC is focusing on indicators of exposure and what actions are they taking to mitigate the level of exposure of people, assets and data.

“We are taking a multi-pronged approach looking externally, looking internally and looking for risks. We are discovering risk and ensuring you are aware of them, and you are ensuring you have the right resources to address the risk,” Whyte said. “Where you can’t address the risk, you have to do some type of acceptance of that risk. But it should never leave your radar because as new technologies and processes come out, you should look at those risks you’ve accepted and try to work them out of your environment.”

Even with dashboards and new tools, the weakest link for most organization are the people. This is what happened to the FDIC in April 2015 when it learned an employee inadvertently compromised the data of 44,000 customers. About a month later, the agency learned of five more “low-risk” incidents where employees mishandled sensitive data.

Whyte said FDIC is heavily focused on stopping data leakage. He said through training, including phishing exercises, other reminders such as posters, and meetings with the divisions discussing the near and actual data leakage incidents.

“We have our own corporate university that helps us develop training where we see a need that we can quickly react, put training together and deliver it to our customers,” he said. “We’ve turned off access and implemented a data loss prevention capability that looks at who is copying data, from thumb drives to CD readers and writers. That is very well controlled and monitored.”

Additionally, the FDIC also relies on a 24/7 security operations center, which monitors the network for misuse cases and other threats.

In addition to cybersecurity, Whyte said his priorities include improving the agency’s operational efficiencies, improving how they manage and protect their data and, of course, IT modernization.

Whyte said for FDIC, IT modernization is as much a technology challenge as a people challenge.

He said having the right people to implement the modernization efforts using approaches such as agile or dev/ops while implementing services in the cloud.

“If we are going to move to the cloud, we have to make sure we have people who are trained in vendor management, trained in the different technologies of the application stack that Amazon or Google or Microsoft may provide. How do we get that information that we would normally walk downstairs and be able touch and feel when you are potentially hundreds of miles away from the data center?,” Whyte said. “We do need to ensure that we have the right human resource capabilities in the corporation to execute on those new operational environments. We are offering them training to readjust the focus areas that they may have been used to operating in.”

He added it’s an education opportunity for both the IT side and the business or mission side.

“We are relooking at our governance processes around IT. I want IT to be agile, but I do not want the governance process to stifle innovation or the delivery of capabilities to the business,” Whyte said. “We want to streamline governance. We want to publish how we operate and what are the requirements and gates that have be passed through to get IT operational, and then monitored and continuously improved. We are looking at enterprise architecture and governance as frameworks and wrapping it around risk management to make sure we are doing the right things based on requirements.”