Cyber scorecard leverages rivalry at DOJ agencies

The Department of Justice uses a cybersecurity scorecard issued at every one of its monthly CIO council meetings to stoke a friendly rivalry between component agencies, a senior official said Tuesday.

“We all look very closely at the scores, because it’s reported to the council with everyone right there,” Karl Mathias, the CIO and assistant director of the U.S. Marshals Service, told a breakout session at VMWare’s Public Sector Innovation Summit, presented by FedScoop.

“I have standing instructions to my CISO,” he added, “I want to see [the Bureau of Alcohol, Tobacco and Firearms] in my rearview mirror  on that card. We beat them every time.”

Mathias credited Justice Department CIO Joe Klimavicz with the idea.

Asked about the basis for the scores, Mathias declined to go into detail, but said basic hygiene measures and patching were included.

He told CyberScoop the competition between the dozen-plus components was “good natured and healthy.”

He noted that it was sometimes hard to make the case for “shiny new IT toys” in a constrained budget environment.

“It’s a tough argument to make for that spending, when you have someone asking for guns and tactical vests,” he told a packed session.

Data, like that from the scorecard, and a solid risk-based foundation could help, he said. “You have to do    that risk assessment … and shift resources accordingly.”

“These are tough decisions to take in any organization,” he said.