State Department Chief Information Security Officer William Lay has spent three decades working in federal IT, for both civilian and military agencies.
His appointment as CISO and deputy CIO for information assurance at the State Department in September 2012 capped a career that ended this summer, and we caught him in a reflective mood on his final day at work last month.
The transcript has been edited for length and clarity.
SNG: Your successor hasn’t yet been named, but if there was one thing you could tell him or her, what would it be?
William Lay: ‘If I were leaving words of wisdom behind, the main thing would be flexibility. The IT and the cybersecurity landscape evolves very rapidly … You can’t ever rest on your laurels … You can’t assume that you’ve ever got it figured out or that you have a recipe [for security] that’s gonna stand the test of time.’
The speed of technological change has been disruptive for a long time, Lay said, but nowadays it’s increasingly exponential.
‘The velocity of change has always been rapid, but especially in cyber, it’s basically become a blur … You have to keep your eyes open, stay on your toes … You must anticipate the unexpected.’
SNG: But isn’t that very difficult in government? Isn’t the essence of bureaucracy standardization and repeatability?
WL: “If I were to speculate, that might be why big bureaucracies find themselves so challenged with cyber. It’s difficult for a huge organization … I would argue that any organization of a certain size has those challenges.’
‘When you’ve got hundreds or thousands [of end users] that you’re trying to choreograph … some of the organization’s gonna be out of step. It’s just very hard to get all the pieces and parts moving in unison … That really is a significant challenge despite all the effort, time and money spent.”
‘We hear all the time about agile. Agile is much easier said than done, but to be effective in cyber in particular, you’ve got to be quick on your feet.’
Asked about agile management strategies and the U.S. campaign to put a man on the moon, Lay argued that unity of effort is easier toward a singular goal than it is in the cyber conflict — which more resembles a daily war of attrition against a hydra-headed adversary:
“The biggest challenge [for me personally was] … telling the story consistently to a large enough number of people that it starts to resonate … The hardest thing about getting a new idea in is getting the old idea out and that’s particularly true in cybersecurity. People will focus on what they know and what’s worked before.”
Against an adaptive adversary, that’s a losing strategy, Lay acknowledges.
‘It’s hard to get the word out that … The way you’ve been doing it, while it’s been successful, we need to adjust. It’s not that it’s wrong, it’s just no longer as effective as it once was.’ And that’s hard for people to adapt quickly because they’ve invested a lot of time, money, training … into doing it a particular way and when we run into a situation where that no longer is a sufficient defense then it’s a tall order to communicate: Well now we have to change yet again.’”
“It gets exhausting to communicate … It’s what I call information security fatigue.”
That fatigue can end up being a real problem, even inside the CISO’s office.
“You feel like you’re running as fast as you can, but somebody keeps turning up the speed on the treadmill … and you can’t put your finger on who … And it wears even your best practitioners down because … it can become demoralizing … many times you feel like, why am I even trying so hard if at the end of the day it’s not going to be sufficient. So part of it is keeping people motivated.’
SNG: Is there any one project or achievement of which you’re especially proud?
WL: ‘The thing I’m proud of and what i’ve observed, [over three decades of government service] especially here at the State Department is, whenever we would have an event … people immediately get motivated and work together. The office politics melt away, the turf battles are no longer an issue … Everybody says ‘OK we’re getting this together.’ When they recognize the problem they get serious.’
Across the department, across the entire federal government and among contractors, ‘There was always a very positive willingness to lean in [to tackle a crisis] … That was reassuring, because a lot of the time all you hear about in this town is the animosity.’
SNG: How has the policy environment changed in the years you’ve been working this issue?
WL: ‘A few years ago when [the Federal Information Security Management Act, or] FISMA was younger, a lot of the emphasis was on the system owner… [The office or official who was responsible for the system] was responsible to ensure that that system was secure … that sufficient resources were there to secure that system … That was, to be honest, a bit of a naive approach. To have security, you really have to have a systemic, enterprise-level approach.’
‘What I’ve seen over the past few years, across the government there’s much more of an understanding, especially with the internet, that no system is an island — I’m talking unclassified here — you can’t just say: ‘my system is secure.’ … Life is not that simple … you have to have an overarching architectural and enterprise-level view of how you’re going to address security and risk.’
‘With that … broadening of understanding the resources have become more forthcoming … We’re not as resource poor as we once were, but the flipside of that is … it does require we have to synchronize our policy and our governance … the communications have become a lot more complex … everyone has to be working in concert for all of it to function.’