CISOs have growing clout in agencies, but still face challenges
A majority of federal chief information security officers surveyed recently said they were having a positive influence on the security posture of their agencies.
“Almost unanimously they feel like they are making a difference,” said Lynn McNulty, director of government affairs for the International Information Systems Security Certification Consortium Inc. (ISC2), which conducted the survey. “I don’t think that would have been true five years ago.”
In the past five years, CISOs have gotten statutory authority while IT security has emerged as a major national security concern, consequently becoming a significant management issue, giving CISOs a seat at the table.
But despite progress, the role of the CISO and IT security still are not fully mature. Most CISOs do not report directly to the top level of management, organizational stovepipes continue to interfere with security efforts and security oversight too often is focused on regulatory compliance and paperwork rather than on real risk management, they said.
As a result, security officials are split about whether information security has actually improved in their agencies. About half say they feel they have “turned the corner” on security, and the other half still feel that they are behind the curve.
ISC2, Cisco Systems and Government Futures interviewed 21 CISOs from a cross-section of civilian agencies in March. Response from the military and intelligence sectors was not as good, McNulty said.
Still, “we heard from a significant number of CISOs,” he said, and even with the relatively small number received consistent responses that led them to believe they had a valid response. “We think the information we have reflects the opinion of the CISO community.”
The results were released today in a report titled, “The State of Cybersecurity from the Federal CISO’s Perspective.”
The survey reflects a growing consensus that the Federal Information Security Management Act, which has been the principle civilian IT security regulation for the past seven years, has outlived its usefulness in its current form. Although CISOs generally view FISMA favorably, they feel that a continued emphasis on reporting and achieving compliance is getting in the way of genuine risk management. Because compliance does not equal security the security officers would like to see more attention paid to continuous monitoring of systems.
The CISOs give high marks to FISMA guidance and assistance from the National Institute of Standards and Technology, which is responsible for producing the standards and specifications for FISMA compliance, and to a lesser extent the National Security Agency. But they do not view the Office of Management and Budget, which has a principle role in FISMA oversight, and the Homeland Security Department as effective leaders.
Many respondents reported frustration with the previous administration’s Comprehensive National Cybersecurity Initiative.
“The CNCI was largely seen as having ‘an external focus’ and not devoting enough funds to fixing longstanding agency security problems,” the report says. “In addition, desires for greater attention to authentication, reduced classification of information, and better access to Einstein data were expressed by more than half the respondents.”
Manpower is another area of concern. Hiring at 22 percent of the agencies surveyed is frozen, and only replacements are being hired at another 22 percent. “Minimal” recruiting is being done at 39 percent of agencies, and only 17 percent are aggressive in hiring. One positive aspect of the current economic crisis is that most CISOs believe that it will make it easier for government to recruit and retain qualified security professionals.
The number and quality of security professionals being educated in the nation’s universities increased in recent years, but there's still a shortage, said Cisco CSO John Stewart.
“We’re still not producing enough of them,” he said. “They are in high demand.”
For all of the reservations of the security officers, information security is moving in the right direction, McNulty said. There is a greater public awareness of security issues and it has become a priority in both the White House and in Congress, and CISOs are gaining power and access.
“That tells me we’re moving on the right track,” McNulty said. “We’ve made progress. That wasn’t always the case.”