Seeking risk managers

Agencies worry demand could exceed supply

Federal agencies could be missing the point when they move senior information technology officials into positions in which they are responsible for information security.

By requiring chief information security officers (CISOs) to report to agencies’ chief information officers, federal officials are treating information security as an IT problem, which may be the wrong approach, said Paul Proctor, vice president for security and risk strategies at META Group, now owned by Gartner.

“One of the fundamental things they’re missing here is that security and risk management are not technical IT problems,” Proctor said.

Executives at private-sector companies are beginning to look for people who have risk management experience in addition to, or in lieu of, IT experience when they hire senior information security officials, he said.

It is a demand that will only continue to grow. Forrester Research analysts estimate that 75 percent of the largest companies will have a chief risk officer by 2007.

But whether the private-sector trend toward hiring risk managers with business experience will take hold in the federal sector is uncertain. The E-Government Act of 2002 gives federal CIOs responsibility for information security and the authority to delegate that responsibility to a senior agency official.

Many senior security officials agree that questions about the appropriate career path for CISOs will demand answers as the need grows for more people to fill such positions. “The security field is growing — that’s the good news,” said Jane Norris, CISO at the State Department. “The bad news is where are we going to get all these people.”

She pointed to a recent study conducted by the International Information Systems Security Certification Consortium, which certifies information security officials’ training. According to the study, senior officials expect employment for people in information security positions to increase at a compound annual growth rate of 14 percent between now and 2008.

The same report projects slower growth in IT employment, stating that it will increase at a compound annual rate of only 5 percent to 8 percent in the same period.

Some federal agencies are committed to seeing that the next generation of CISOs has the advantages of academic degree programs tailored to computer and information security. For example, since 2001, the National Science Foundation, with funding from the Homeland Security Department, has given student scholarships and institutional grants to colleges and universities that offer degree programs in the emerging field known as information assurance.

“Students who are coming out of school now are having the benefit of entire programs focused on information assurance, and that’s not the way it used to be,” said Diana Gant, director of the NSF’s Federal Cyber Service Scholarship for Service Program.

The course offerings are interdisciplinary and usually include management and operations courses, she said.

Training the next generation

Federal officials have a new source for help in creating the next generation of information security managers. The Federal Cyber Service Scholarship for Service Program, administered by the National Science Foundation, gives scholarships and other funds to colleges and universities to train students in information assurance. In exchange, students work for two years for the federal government.

Here are some additional facts and figures about the scholarship for service program:

  • NSF began the program in 2001.
  • 540 students have received scholarships through their colleges to prepare for careers in information assurance.
  • Student scholarships cover tuition, fees, room and board, and a stipend for a two-year master’s degree program or the final two years of an undergraduate degree program.
  • The program’s fiscal 2004 budget was $14.1 million.
  • About 20 higher education institutions have been awarded scholarship money under the program.
  • Nearly 90 such institutions have received money to develop information assurance programs.

    — Florence Olsen

  • 2014 Rising Star Awards

    Help us find the next generation of leaders in federal IT.

    Reader comments

    Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

    Please type the letters/numbers you see above