Security: It's a management thing

Best Security Practices

Federal agencies are making the same mistake when it comes to security — viewing it as something that can be fixed with technology and not recognizing it as a management issue, officials said Monday.

"We have a tendency to turn [security] into a technical problem, rather than a management problem with technical aspects," said Marty Wagner, associate administrator of the General Services Administration's Office of Governmentwide Policy, speaking Monday at the Defending Cyberspace conference in Washington, D.C.

The CIO Council's Security, Privacy and Critical Infrastructure Committee is working on several initiatives to help agencies get a handle on the management aspect of the federal security problem, said John Gilligan, deputy chief information officer at the Air Force and co-chairman of the committee. Some pieces already are available, including a Web-based repository of security best practices and the Information Technology Security Assessment Framework that the council released last week.

But the biggest problems and the best solutions come from line managers and program leaders, Gilligan said. Getting the word out to these people and getting them to understand the importance of their role in the security of federal systems and programs is one of the challenges the council is trying to solve right now, he said.

For the most part, the council's efforts involve providing newsletters, sample policies and conferences, but the council is also partnering with the U.S. Chief Financial Officers Council and others, Gilligan said.

In the immediate future, the committee's efforts are focused on two areas: risk management and funding.

Many agencies do not know how to assess their level of risk or how to manage that risk throughout a program's life cycle. Although the General Accounting Office has issued an executive guide presenting risk management best practices from industry and government, the security subcommittee is trying to develop additional guidelines and processes to help, Gilligan said.

Agencies struggle to fund problems relating to federal requirements under Presidential Decision Directive 63, which calls for agencies to protect systems that run the nation's critical infrastructure. President Clinton signed PDD-63 in May 1998, but agencies have trouble getting funding for programs that often cross agency lines.

Gilligan said the critical infrastructure protection subcommittee is developing guidelines for agencies on how to prepare budget submissions and how to work on those submissions with the Office of Management and Budget and the appropriations committees in Congress.


  • Elections
    voting security

    'Unprecedented' challenges to safe, secure 2020 vote

    Our election infrastructure is bending under the stress of multiple crises. Administrators say they are doing all they can to ensure it doesn't break.

  • FCW Perspectives
    zero trust network

    Can government get to zero trust?

    Today's hybrid infrastructures and highly mobile workforces need the protection zero trust security can provide. Too bad there are obstacles at almost every turn.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.