CISOs are overworked and underfunded, study says
- By William Jackson
- Nov 22, 2004
Testing and installing software security patches on government IT systems is the most pressing job for many chief information security officers, but most have little time to devote to it, according to a study released today.
'They are very concerned about patch management, but they are spending an inordinate amount of time doing reporting,' said Ted Ritter, director of cybersecurity for Intelligent Decisions Inc.
The survey by the Chantilly, Va., systems integrator, also found a class divide between security haves and have-nots.
'We didn't expect to see the big gap between those with $500,000 a year and those with $10 million a year, with almost nothing in between,' Ritter said.
The lack of resources could be undermining the goals of the Federal Information Security Management Act.
'The mandate of FISMA to establish a CISO role has been followed through,' Ritter said. 'What doesn't seem to have happened is that they don't have the resources they need to fulfill this role.'
Intelligent Decisions interviewed 25 of the government's 117 CISOs to spur discussions between security officers, industry and legislators.
'We think that we did a decent job in our first time out getting a good sampling,' said Intelligent Decisions president Harry Martin.
Martin said the company expects to do annual CISO surveys and build on the baseline data collected in this year's study.
The sample included CISOs from large and small agencies. Most, 62 percent, controlled annual security budgets of less than $500,000, and another 19 percent controlled up to $1 million a year. Fourteen percent had budgets greater than $10 million. Those at the lower end of the budget scale supervise an average of 2.6 dedicated IT staff, while those on the other end supervise 16.7 staff.
CISOs spent the greatest amount of their time, on average three hours a day, on compliance reporting. One hour is spent on troubleshooting, and less than an hour on larger issues such as network monitoring, architecture development and inventory control.
In general, CISOs spend their time putting out fires and on day-to-day operations rather than improving the overall security posture of their agencies, Martin said.
Better software could ease the demands of patch management, Ritter said. 'Clearly, software quality is an important issue.'
On the legislative side, putting more IT security money into the hands of the CISOs could help enable more strategic efforts to improve security postures.
'Right now, the numbers definitely aren't there,' he said.
William Jackson is a Maryland-based freelance writer.