THANK YOU FOR SUBSCRIBING
Don Watson is the USPTO’s CISO and Director of Cybersecurity. Prior to joining USPTO, he was Director of Security Operations in the Office of Information and Technology, U.S. Customs and Border Protection (CBP) at the Department of Homeland Security. At CBP, he led a large team of IT professionals and oversaw cybersecurity monitoring, analysis, incident response, cyber threat intelligence, digital media analysis, and data protection and monitoring. Prior to CBP, Don served at the Department of Defense and the U.S. Army in uniform, and as a civilian employee for 28 years in IT and cybersecurity leadership positions.
In an era of constant cyber threats, technology and tools alone do not create adequate protection for a 21st century agency. Leaders today need a diverse, skilled team with an expert lens on emerging threats and sharp strategy and tactics to thwart them. Armed with threat intelligence and fresh insight, the USPTO’s CISO Don Watson recently discussed new innovation in cybersecurity.
1. How are “DevSecOps” and emerging technologies part of the IT playbook at the USPTO?
“The Office of the CIO’s organization is on a journey to stabilize and secure our software products while modernizing them as business needs and security concerns demand. Our teams are employing robotic process automation, artificial intelligence, and machine learning capabilities to support both our business and security operations. Our approach to “DevSecOps” relies on the idea that everyone on the team is responsible for security. Cybersecurity is now integrated into our software development process, starting in the early stages, rather than woven in later. We ensure that security is part of a product’s design, starting from the initial conception all the way through to a release. To be successful, everyone in the organization must embrace security, top to bottom.
“As ‘America’s Innovation Agency’, we protect the ideas and investments that are the foundation of this country’s economic potential. We at the USPTO are at the cutting edge of the nation's technological progress and achievement. It is my belief that cybersecurity is an enabler for the business as the USPTO continues expanding innovation in the U.S.”
Our security and risk management practices are becoming more agile, and now move at the speed of the development process. We include security upfront, and empower developers to help manage security. Developers need tools that can help automate and bake in security when they write the code, and make architectural decisions. We have established tools in our pipeline to identify vulnerabilities and enable developers to remediate them, so we can deploy secure products.”
2. In addition to security in the software pipeline, what role do individual managers play?
“Critical to our cybersecurity program are the system security and risk management roles people play. We assign staff members to system security roles in writing to assure that our products have adequate security. To be effective, these individuals must have in-depth knowledge of the information and processes supported by the products, and the management, personnel, operational, and technical controls used to protect the products. We assign risk management roles to senior executives who have budgetary oversight for products and/or are responsible for the mission or line of business supported by the products. These executives are responsible and accountable for the risks associated with the operation of their products, shared with our CIO. It is critical to have adequate, planned resources available to maintain the security and privacy protections of their business products.”
3. What are some ongoing processes or measures in place now for IT security?
“We perform continuous monitoring activities to ensure our products and infrastructure in the cloud and in our data centers remain secure. The activities include security architecture reviews, vulnerability scanning, penetration testing, security and privacy control assessments, and remediation activities. We prioritized our efforts on the remediation and protection of our most valuable assets. A high value asset is information or a system that is so critical to an organization that its loss or corruption, or loss of access to it in the case of an IT system, would have serious impact to the organization's ability to perform its mission or conduct business.
We’ve deployed robust endpoint detection and response capabilities to support incident data search and investigation, alert triage or suspicious activity validation, suspicious activity detection, threat hunting or data exploration, and stopping malicious activity. Additionally, we have deployed an Identity, Credential, and Access Management solution to enable the right individual to access the right resource at the right time and for the right reason. How we conduct identity proofing, establish digital identities, and adopt sound processes for authentication and access control significantly affects the security and delivery of our services to the public and our business units. To manage and monitor our privileged accounts and access, we are deploying a Privileged Access Management (PAM) solution, which is a critical component of enterprise security. This solution will allow our organization to effectively monitor where privileged access exists at every layer, understand which human and non-human entities have access to what, alert us on malicious activity, and enhance overall cybersecurity.”
4. What about the migration to the cloud and security concerns?
“As we continue our cloud journey, we are researching such concepts as secure access service edge, zero trust architecture, and cybersecurity posture management, approaches that can improve protection, find misconfigurations, prevent data leakage, and provide continuous monitoring for our cloud environments.”
5. We know employees help form the front lines of any cyber defense. What are some innovative approaches to employee training and communications that you see on the horizon?
“USPTO employees and contractors are our first line of defense against growing threats to the assets and valuable information entrusted to us. This year, to drive more engagement with security concepts, we introduced new, interactive training with videos, quizzes and other compelling elements. By game-ifying security training, we expect employees to gain more from the critical topics and lessons.”