CYBEREYE: IT managers are lost in the forest of security
Too many federal IT managers still appear to be grappling with security as a technology issue rather than a management issue, which might help explain the slow progress being made in information security.
Nearly 80 percent of respondents in a recent survey of government IT decision-makers listed managing firewalls as their top priority. Only 20 percent paid that much attention to developing a business case for their security programs.
Given these lopsided figures, it should come as no surprise that the same respondents also listed a lack of funding and low program priority as the biggest barriers they face to improving network security.
The numbers come from an online survey conducted by Market Connections Inc. for Cisco Systems Inc. The 107 qualified respondents to the questionnaire represented 28 civilian and Defense Department agencies. Fully 80 percent were at the C-suite, program or data management level.
Unfortunately, the results seem to contradict those from a study last year indicating that chief information security officers were beginning to spend more time on architecture development and less on day-to-day tasks such as inventory control and system administration.
The numbers in both surveys might be too small to warrant broad conclusions, but it's worth noting that those managers who focus on nuts and bolts find that budgets and funding are their biggest problem. Managing firewalls is important, but if you can't make a business case for security, where is the money going to come from?Around and around
This does not necessarily mean that these managers are at fault. They could be caught in a vicious cycle that keeps them strapped for cash. If they begin without adequate funding and re- sources, they will have to spend more time attending to details that otherwise could be delegated to a staff. This cuts into the time and attention spent on business cases that could justify larger budgets.
How to break this cycle? Injecting money into the system could help, but this is not something Congress seems inclined to do. Funding often is doled out as a reward, with money going to those who already are doing the best job rather than to those who need to make improvements.
Realistically, those managers who find themselves strapped for resources will have to change their priorities. In the Cisco survey, the highest priority for most respondents was compliance with the Federal Information Security Management Act and getting to green status on the President's Management Agenda. Lowest priority was linking budgets to program performance.
Managers need to remember that FISMA is not an end in itself, but a management tool for information security. FISMA compliance should be a byproduct of improved security. Linking a budget to program performance is key to getting money to improve security, which should result in improved FISMA marks.
On a more personal note, it is gratifying to see that more than half of survey respondents (58 percent) rely on trade publications to keep abreast of security issues. This is fewer than the 70 percent who primarily use Web sites, but more than the 49 percent who depend primarily on vendors and outside consultants for information.
It's nice to know that someone out there is reading.William Jackson is a GCN senior writer. E-mail him at email@example.com.