How CISA Chief Data Officer Is Spreading the Data Management Message

This Q&A is part of a GovLoop series called “CDO Conversations.” We’ll feature conversational interviews with federal, state and local chief data officers to get to know the role and the people behind the titles.

Consistent data efforts across an organization ensure maximum mission effectiveness, innovative solutions and faster response times in emergencies like the COVID-19 pandemic. Chief data officers (CDOs) play a vital role in this effort by being charged to ensure data is used effectively and creatively to support the agency’s mission.

For Preston Werntz, CDO of the Cybersecurity and Infrastructure Security Agency (CISA), that mission is acting as the nation’s risk advisor, leading the effort to understand and manage the cyber and physical risks to critical infrastructure.

The agency is only a couple of years old. It was signed into being in late 2018, so Werntz’s top priority is establishing a good data foundation that lasts beyond his tenure.

The agency is, at its heart, a data organization, Werntz said, so ensuring that its data assets can be used from frontline to top-level employees is the goal. To get there, he is focused on setting up a consistent, agencywide data governance and management system so that CISA can help its partners manage risk better and be more secure.

The interview below was conducted on Feb. 7, 2020 and has been lightly edited for brevity and clarity.

What are your day-to-day responsibilities? What does your workday look like?

A lot of my work to this point has been engaging across divisions — both at the leadership levels and with the program managers and analysts — and seeing what they have been doing to figure out how we’re going to introduce data management and data governance in a consistent way across the organization.

We’ve got a lot of pockets across the organization, a lot of different divisions and programs. They all do data management. They all do data governance. They’ve always been doing it. It just hasn’t been consistent from organization to organization. That has been the biggest thing to start to work toward over the past year with the agency standing up.

Can you briefly tell me what your job description was when you first assumed the Chief Data Officer role and how it has changed now? 

I was actually hired to be the chief data officer for the cybersecurity portion of NPPD [National Protection and Programs Directorate]. At that point, leadership within what was the Office of Cybersecurity and Communications realized they had data management and governance issues. There were a lot of potential things we could do, but we couldn’t do them because of that lack of consistency. When senior leadership started looking at what CISA should look like to accomplish this, they elevated our CTO office, which included me, up to the CISA level. They realized that if we’re going to tackle data management and governance, there should be a chief data officer at the agency level looking at that.

So in some ways, my job has not changed because data management is data management. Data governance is data governance, regardless of the data type. What really has probably changed most is the scope and breadth of what I’m covering now, versus what I was originally just going to cover.

What do you believe the value of a chief data officer is to an organization?

I don’t know if there’s one easy answer. That’s what makes it interesting. The luxury of my job is I get to think about data and its value to the business and the mission in ways that some of the other C-suite offices don’t.

Obviously, CIOs [chief information officers] think a lot about data, but maybe more on how much this data costs to store, how much this data is going to cost to buy, how much this data is going to cost if I have it locally versus in the cloud. And our chief information security officer, our CISO, they think a lot about data, but it’s [about] is this data encrypted at rest? Is it encrypted in transit? I get to think a little more about the value of data to the business and the mission.

Let’s say, on the cyber side, we make a lot of chocolate bars. On the infrastructure side, we sell a lot of peanut butter. I get to think about what happens if you mix that peanut butter and chocolate together. Do I get something new that we’ve never had before? And if we do, does that help either of our mission sets or not? I’m not worried about selling more candy bars, but I’m worried about creating some new ones that help make our partners more secure, which lets them manage their risk better. That’s, at a high level, how I think about trying to differentiate my role from a CIO and a CISO.

What are you doing to carry out this top priority of consistency when it comes to data management and governance?

A lot of that is about formalizing our approach to data management governance to make it sustainable beyond my tenure, beyond our senior leadership. A lot of that is then formalizing it from a documentation expectation — here’s how we’re going to operate, here’s how we’re going to do governance. Does everyone understand that as you come into the organization?

And part of that is instituting a culture at the lowest levels as people come into the organization about how they think about data, how they treat data and what they’re going to do with data. So there’s that top-down piece from documentation and processes, and there’s that bottom-up piece of building culture.

What kinds of efforts are happening right now for frontline employees to start being better stewards of data and use it in their everyday work?

There are two parts that come to mind quickly. Number one is, what I’ve spent a lot of time doing over the past year is trying to get to as many working groups and meetings [where] people are talking about this so I can spread that gospel.

I’ve also begun briefing our new employees. When CISA hires people and they come in for the new employee orientation, I got myself on the briefing agenda so I can get them day one in the door, talking about the vision, the culture we want to get to, their role in that as a new employee and what I expect of them as a data steward. Part of it for me has been this: talk to as many folks as you can — that’s the most important part — and then keep talking to them.

One of the other things we’ve done is we built a conceptual data model. Not a logical physical data model — it doesn’t have rows and columns. But a conceptual layer to talk about what CISA does from a cyber standpoint when you think about a cyber incident, cyber response and cyber risk.

What I can do [with this] is I can start to map our datasets and our systems against this conceptual model. And this way, we can hand that to people and say if you’re building a new system or you’re trying to devise a new product we’re going to post on our website, here are ways to think about it. Here are concepts you should be including. If you’re writing a report, and you need to get some more information about a cyber [incident] like attack patterns or IP address or malware information, here are the five or six data assets across the organization that you should make sure you’re looking at. And if you didn’t know they existed, that’s perfect. That’s what this conceptual model is here for, and that’s served to help folks understand the data that has come into the organization, the context of what it was brought in for and how it is used elsewhere.

When chief information officers were first instated, there was a little bit of difficulty making sure that they had the empowerment to carry out their roles. Is that the case for you? Do you have a seat at the table? And how can others ensure the same?

When I was hired back in 2018, on the cyber side, leadership at that point was aware of this and proactive to say we need this [CDO] role. And I certainly would have had a seat at the table. But that’s not always sustainable, depending on the role of a chief data officer, to make it more institutionalized and sustainable.

In the interim, we’ve had two big things come out. One is the Evidence Act. Title 2 basically says, “Hey, you have to have a chief data officer. Here’s what they have to do; here’s what they should be thinking about.” Legislation is good. That certainly helps get you a seat at the table.

At the same time, you’ve also got the Federal Data Strategy which has come out and talks about similar things about where the federal government needs to go. And if we’re going to go there, you need the leadership from a chief data officer to help drive these things, both within an agency and across the federal government. So those two big foundational pieces, for agencies that were already doing this and had CDOs, were a shot in the arm because it formalized your role.

The last piece of that is ensuring that the data management and governance activities in my office are funded and resourced appropriately to make that happen. I feel very empowered by our current leadership. As that leadership moves out, the nice part now is we have these other pieces through legislation and the Federal Data Strategy that would keep me with a seat at the table and not tied to leadership that might be gone.

What are the next priorities that you will be focusing on once data governance and management are in place?

As those pieces get in place, some of the next big things for us to tackle is better awareness of all the data we’ve got to ensure that we’re able to manage it properly. Once I’ve got a better handle on all the data that lives across CISA, under this kind of management and governance control, now we can enable our folks within the organization to find that data. They’ve got to be able to find the data and they’ve got to be able to understand the data. And, they’ve got to figure out to what degree they can trust it.

We’re looking at an increase of data literacy across the organization. And I talked a little bit about that — that is culture building. Part of that is formal training we need to provide, both to our data stewards —so they know what they should be doing with data, how to capture it, how to catalog it, how to document it — and then for our PMs, our program managers, and leadership.

The data has got to flow across the organization in ways that we can find new ways to use it to improve our current products and services, or think about new products and services, and be able to keep up with the changing requirements that might come in through the White House or Congress.

Do you have thoughts on how the role might change in the future?

You always have to keep an eye on what we’re doing in government versus where industry is going. In industry, there has been this rise of chief data and analytics officers.

Whether or not the government as a whole starts to move toward that chief data and analytics role, or we have chief analytics officers that would be counterparts to me — that’s something I’m keeping my eye on. I think other folks are as well, to see whether these roles naturally progress or, depending on the government agency you’re in and what you do, it may not make as much sense.

What have you been most proud of so far as the chief data officer?

So far, I’ve been very happy with the reception to me in this role. I think when you say, “Hey, here’s our new chief data officer and here’s what they do,” most people are like, “Oh my God, thank you. We’ve been waiting for something like this.” Because people at the ground level have seen these kinds of issues over the year. So I’ve been very happy with the positive reception from the workforce in general [and] very happy with the support of leadership top down.

What I’m really hoping to have is when we have this follow-up conversation in a year and you ask what are you most happy about, I’ll be able to have specifically increased in value what the organization does or some specific infrastructure and tools we put in place.

Leave a Comment

Leave a comment

Leave a Reply