Posted by: Robert Westervelt
federal cybersecurity, government security
Mark Weatherford will focus on cybersecurity operations and communications resilience at the Department of Homeland Security.
Mark Weatherford, vice president and CSO at the North American Electric Reliability Corporation (NERC), has been appointed to the position of Deputy Under Secretary for Cybersecurity for the National Protection and Programs Directorate at the Department of Homeland Security.
The appointment was announced by DHS Secretary Janet Napolitano today, and is effective mid-November. The newly created position will focus on cybersecurity operations and communications at DHS. Cybersecurity leadership at DHS has undergone some changes of late. Philip Reitinger resigned in May to take the position of CISO at Sony.
Weatherford took on the CSO role at NERC in 2010, shortly after the Stuxnet worm surfaced. He is said to have bolstered information sharing there. He started a “Malware Tiger Team” to share accurate and usable Stuxnet related information among facilities.
He also called for more rugged software in the wake of Stuxnet, after it was discovered that the malware targeted four Microsoft zero-day vulnerabilities.
An Information Security magazine Security 7 Award winner, Weatherford was previously director and CISO of the state of California. He also spent six years as the CISO of the state of Colorado. He developed a Data Governance Working Group that defined the data security lifecycle for state agencies. Weatherford also formalized the state’s vulnerability management program to address Web application security issues.
In an essay he wrote for Information Security, Weatherford said that strategic planning often falls short in the security industry.
“We haven’t devoted the deep thought necessary to create a vision worthy of being called a Strategic Plan. I’ve done the annual strategic plan dance more times than I care to admit because creating a Strategic Plan takes real time and real effort, which is difficult to justify when you find yourself in more of a firefighter role than a CISO.”
Data governance and classification
In this video, Weatherford, who was CISO of California’s Office of Information Security and Privacy Protection, gave advice on the importance of data governance and classification.
“The fact that data is ubiquitous and resides everywhere means that you have to know where it is and what systems it resides on,” Weatherford told SearchFInancialSecurity in 2009. “An asset inventory is critical to knowing where the different types of data reside within your organization.”
Identifying assets is doable, he said, adding that business and IT need to work together to identify the most critical data that needs to be protected. The business people own the process and should be engaged and working with security professionals in order for data classification projects to be successful.