Letter: Overburdening program managers puts security at risk

The title of “Program managers are also security managers” should scare anyone who is concerned about information security and privacy in the federal government because it is highly accurate. Information technology management is so distributed in the federal government that it frequently falls to the program manager to decide how much security to implement and how to implement it. This is yet another area we expect program managers to be experts in, despite a frequent lack of training, inadequate budget and rapid change in the state of the art of attacks. Most frighteningly, the systems program managers are responsible for are usually networked with other systems, managed by other program managers. In IT security, the chain is truly only as strong as its weakest link. The most serious network attacks find vulnerabilities in one network and then follow trust relationships between networks to discover valuable information.

 


I contrast this approach with the (unnamed) large (90,000 people) corporation where I was recently a chief information officer. At this corporation, a panel of security experts sets IT security policy for the company. CIOs are expected to implement that policy, and all of their networks are audited to determine compliance with the policy. The results of these audits are published to the chief executive officer and board of directors. Failing an audit gets the highest levels of attention and usually invokes the other meaning of CIO: Career Is Over.


Information security is a full-time job, not yet another responsibility for overloaded program managers to assume. Until the federal government implements a serious information security management structure, breaking down its sacrosanct agency, office and program independence, information compromise is inevitable. A chain is only as strong as its weakest link, and the federal IT system chain is tens of thousands of links long.


Anonymous


What do you think? Paste a comment in the box below (registration required) or send your comment to letters@fcw.com (subject line: Blog comment) and we'll post it.

Featured

  • People
    Dr. Ronny Jackson briefs the press on President Trump

    Uncertainty at VA after nominee withdraws

    With White House physician Adm. Ronny Jackson's withdrawal, VA watchers are wondering what's next for the agency and its planned $16 billion health IT modernization project.

  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.