Government Information Security Officers Express Their Views

Federal chief information security officers (CISOs) feel more empowered today because their organizations’ leaders are listening to them and heeding their advice. Responses to a survey revealed that the CISOs concur that external attacks—primarily data loss and exploits—are the foremost threat. They also agree about several improvements that would increase defenses and heighten their effectiveness, although they are divided about the status of agency information and systems security.

Cisco Systems Incorporated, Government Futures and (ISC)² conducted the study, asking 40 federal agency and bureau-level CISOs for their perspective on the current and future state of agency programs and network and systems security. Among the challenges they face are inadequate resources, an undue focus on compliance reporting and unnecessary paperwork. Despite these issues, the majority of CISOs expressed high satisfaction with their jobs.

In addition to external threats, the CISOs identified governance issues as a menace to information security and systems; in particular, the ambiguity of their roles within organizations continues. This matter could be resolved by increasing senior management support and eliminating organizational stovepipes, they agreed. Regarding differing information security approaches, one CISO’s input summarized the situation: “We’re fighting ourselves.”

Michael J. Castanga, CISO, U.S. Department of Commerce, and former CISO for NASA, says the responses to the survey also indicate that information security is likely to get worse before it gets better; however, he believes the United States can build a capability to manage attackers. Social networking tools make it harder to distinguish between insider and outsider threats, Castanga adds. Stronger authentication techniques and trust-but-verify approaches are needed to address this issue, he maintains. Finally, he emphasizes that people are the most important element in information security, and because of the economic downturn, attracting well-qualified job applicants is easier; however, agencies must make working for the government attractive.

According to John N. Stewart, vice president and chief security officer, Cisco Systems, the commercial and government sectors have overlapping information security concerns. For example, on the issue of data loss, they both need and want not only to prevent adversaries from stealing data but also to be able to maintain complete records. Collaboration between industry and agencies is one way to manage this situation, particularly by sharing experiences. The idea of sharing is not one that these two entities are good at today, but it is vital to handling the problem, he says.

“The boundary between inside and outside threats is blurred,” Stewart adds, “so a new process is now needed.” Regulation and oversight is essential; however, these should not affect the elasticity of information technology, he notes.

W. Hord Tipton, executive director, (ISC)², and former chief information for the U.S. Department of the Interior, shares that the Cybersecurity Act of 2009, which is in the early discussion stage in the U.S. Senate, at least in part addresses the issue of regulation. It calls for mandatory information security certification for anyone involved in cybersecurity in the federal government or the privately owned critical infrastructure area. This regulation would be introduced gradually, with a licensing program established during the first year and full enforcement in three years, Tipton explains. “Certification is a validation of competence,” he states.

Tipton believes information technology and information assurance should be two separate jobs within an organization. In addition, he advocates more funding for continuing education for both of these specialty areas. “It will be a big mistake to cut back on professional development in the economic downturn because up-to-date skills will be needed when the economy turns around,” he states.

The 2009 State of Cybersecurity from the Federal CISO’s Perspective, a report that (ISC)² generated from responses to this survey as well as from additional research, includes four recommendations for changes that would improve circumstances for CISOs. First, the compliance culture should be replaced with a risk-management culture. Second, the concern about external threats should continue; however, more emphasis should be placed on addressing internal threats. Third, additional attention must be paid to the “unknown time bombs” that attackers are placing within government and private sector systems today to be activated at a later date. Finally, government CISOs as well as information security professionals in industry must assume a proactive stance. “We must reverse the odds by architecting systems that are inherently secure and not rely on fixing one that was designed to be fundamentally nonsecure,” the report states.