There are big jobs. Then there’s Chuck McGann’s job.
As the chief information security officer for the U.S. Postal Service, McGann is responsible for protecting the integrity of information and the information infrastructure used in operating one of the world’s largest enterprises.
McGann, who has over 23 years of experience in the federal government, oversees the security of the USPS data infrastructure, which involves over 400 business applications supporting all aspects of business and mail operations. A significant failure of these systems could cause delays in the processing and delivery of mail, impacting USPS’s operating costs and potentially even the country’s economy.
Last month, McGann was named the new Co-Chair of U.S. Government Advisory Board for Cyber Security at (ISC)2 the world’s largest information security professional body. He is a certified information systems security professional (CISSP), a certified information security manager (CISM) and holds a certification for information assurance methodology (IAM) from the National Security Agency (NSA).
Breaking Gov Editorial Director Wyatt Kash recently asked him about what he’s working on and what he’s learning.
Where would you rank USPS in terms of the top corporations in the US, or the world, in terms of the size or scope of their operations?
McGann: The USPS is one of the largest companies in the US and in the top 10 companies in the world based on locations and infrastructure. We have 34,000 retail locations and over 300 major mail processing facilities. We process over 2.2 million email messages a day and have more retail outlets than WalMart, McDonalds and Burger King combined. We also support the largest intranet of any organization in the world, with over 185,000 workstations and 10,000 servers.
What are you focusing your time-or what are your top priorities-now at USPS to improve its information security?
McGann: We are focused on protecting the customer and business data that is entrusted to us during our business dealings. Our brand is built on trust and we work tirelessly when it comes to protecting that brand image and that includes the data. We look at the changing threats on a daily basis and adjust our protection strategy based on newly identified attacks or efforts to impact the systems that support our customer and business needs.
How have you had to adjust your priorities in light of the USPS current funding challenges?
McGann: This is an interesting question. Like every security professions, I’d like to have unlimited resources, and like most companies, we make decisions based on a risk management model that helps us identify the value of the data or system against the potential loss of use and then prioritize the attention based on the model. I have been lucky with my current and previous CIOs, in that we work together to find funds for technology solutions when warranted. Our security solutions vendors worked with us to find economical and efficient usage of our contracts which has been a tremendous help in controlling costs.
What lessons have you learned over the past year or two?
McGann: The bad guys only have to be right once to break in and cause problems, security staff’s must be right 100% of the time. There is no down time and the threats mutate based on the technology changes that are occurring. Look at the I Phone or the Android – new technology and it has become the “hottest” threat space right now. Everyone wants convenience, but it comes with a price tag, it comes with risk.
We as security professionals need to be as organized as those that would undermine our efforts and I hope to continue the hard work the Government Advisory Board and the Federal CISOs have started for sharing our knowledge and pooling our efforts.
Of all the groups you belong to, what is it about ISC2’s work that has drawn you to serve as the new incoming co-chair?
McGann: I think (ISC)2 as an organization, is the premier recognized education and certification organization for our profession. I became a CISSP in 2002 and have watched the (ISC)2 organization mature and respond to the needs of our discipline and the organizations we support. I also watched the threat landscape change over the years and I think I have a unique background and perspective that can bring value to the co-chair position. This should not be interpreted as taking anything away from the other security organizations which I also have memberships in. Not a lot of people know this but the USPS was one of the original supporters of the (ISC2) efforts and the CISSP certification development.