Some of those lessons revolve around the fact that DHS had to combine many legacy systems in bringing together 22 different organizations, according to Robert West, CISO for DHS.
"In a perfect world, starting from scratch, we'd probably make different choices. The real lesson learned is the more you can design security in from the beginning, the better off you'll be in the long run," he said Wednesday in a keynote at the Security Leadership Council, an online conference hosted by Security and Technology Online (SATO).
The industry could help, West said.
"Vendors need to understand we're a long-term project. Things don't happen overnight. They need to take the long view," he said.
Vendors also need to try to work together, West said. There were times where DHS was working with several companies on a contract and needed to hook infrastructures together. "It's really been a puzzle. It would be better if vendors could come to us and say, 'Here's the solution'."
Another lesson the agency has learned is that infosec requires a comprehensive approach, West said: "Security can't be done piecemeal. There has to be an overall plan. We defined what a FISMA compliant program would look like for the department. It's that comprehensive approach that's key."
User accountability and training also are critical, he said. "My view is information security is more about the people than the technology."