Survey: CISOs dish on FISMA

More than half of federal chief information security officers say they feel empowered in their jobs, according to a recent survey. On the other hand, more than 40 percent said they do not see enough benefit to justify the work required by the Federal Information Security Management Act.

The findings come from a poll that Cisco, Government Futures and (ISC)2 conducted of a federal agency CISOs. The results represent the responses of 21 CISOs to a set of questions that were answered over the phone, in person or online.

Lynn McNulty, director of government affairs for (ISC)2 and a former federal information security program manager, said he was pleased to see that CISOs felt empowered and that management was paying attention. McNulty conducted the interviews for the survey.

“My feeling is that if we had taken the survey five years ago that kind of overwhelming response that they were feeling empowered would not have been there,” McNulty said. “They would have said that they were sort of marginalized — either ignored or having only a minimal difference in the agencies that they work in.”

According to the survey, 57 percent of CISOs surveyed said they thought they could significantly impact the security posture of their department or agency.

McNulty said the desire to move toward continuous monitoring — and away from the paper-based monitoring currently used to comply with FISMA — squares with cybersecurity legislation introduced April 28 by Sen. Thomas Carper (D-Del). The legislation would give CISOs the authority to ensure that agencies can — on an automated and continuous basis — detect, report and mitigate cyber incidents.

According to the survey, just 9 percent of the respondents said they considered the FISMA process “a great success,” with 24 percent saying it was a “paper exercise with little upside.” Meanwhile, 19 percent said the “costs exceed benefits,” of the FISMA process and 48 percent said they saw FISMA as representing “real but uneven improvement.”

The report also said many CISOs were frustrated with the George W. Bush administration’s Comprehensive National Cybersecurity Initiative because it was seen as having too much of an external focus and not paying enough attention to long-standing security problems.

In addition, 48 percent of the CISOs surveyed said they saw external threats as the biggest threat with 26 percent each citing insider threats and software vulnerabilities as most daunting.

Three quarters of the CISOs surveyed said the mandatory professional certification, as required by a Defense Department Directive 8570.1, should be extended to cover the entire government.

McNulty said most of the responses were from civilian agency CISOs and the questioners felt the survey’s results were statistically valid. The report’s results were anonymous, and it was the first time the survey had been conducted. The results were released April 30.

Federal CISOs feel empowered, but wish they had more resources and support to do their jobs, according to findings of a new survey of federal CISOs.

The findings come from a poll that Cisco, Government Futures and (ISC)2 conducted of a federal agency CISOs. The results represent the responses of 21 CISOs to a set of questions that were answered over the phone, in person or online.

Lynn McNulty, director of government affairs for (ISC)2 and a former federal information security program manager, said he was pleased to see that CISOs felt empowered and that management was paying attention. McNulty conducted the interviews for the survey.

“My feeling is that if we had taken the survey five years ago that kind of overwhelming response that they were feeling empowered would not have been there,” McNulty said. “They would have said that they were sort of marginalized — either ignored or having only a minimal difference in the agencies that they work in.”

According to the survey, 57 percent of CISOs surveyed said they thought they could significantly impact the security posture of their department or agency.

McNulty said the desire to move towards continuous monitoring and away from the paper-based monitoring currently used to comply with the Federal Information Security Management Act (FISMA) squares with cybersecurity legislation introduced April 28 by Sen. Thomas Carper (D-Del). The legislation would give chief information security officers the authority to ensure that agencies can — on an automated and continuous basis — detect, report and mitigate cyber incidents.

According to the survey, just 9 percent of the respondents said they considered the FISMA process “a great success” with 24 percent saying it was a “paper exercise with little upside.” Meanwhile, 19 percent said the “costs exceed benefits,” of the FISMA process and 48 percent said they saw FISMA as representing “real but uneven improvement.”

The report also said many CISOs were frustrated with the George W. Bush administration’s Comprehensive National Cybersecurity Initiative because it was seen as having too much of an external focus and not paying enough attention to long-standing security problems.

In addition, 48 percent of the CISOs surveyed said they saw external threats as the biggest threat, with 26 percent each citing insider threats and software vulnerabilities as most daunting.

Three quarters of the CISOs surveyed said the mandatory professional certification, as required by a Defense Department Directive 8570.1, should be extended to cover the entire government.

McNulty said most of the responses were from civilian agency CISOs and the questioners felt the survey’s results were statistically valid. The report’s results were anonymous and it was the first time the survey had been conducted. The results were released April 30.

About the Author

Ben Bain is a reporter for Federal Computer Week.

Featured

  • Contracting
    8 prototypes of the border walls as tweeted by CBP San Diego

    DHS contractors face protests – on the streets

    Tech companies are facing protests internally from workers and externally from activists about doing for government amid controversial policies like "zero tolerance" for illegal immigration.

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    At OPM, Weichert pushes direct hire, pay agent changes

    Margaret Weichert, now acting director of the Office of Personnel Management, is clearing agencies to make direct hires in IT, cyber and other tech fields and is changing pay for specialized occupations.

  • Cloud
    Shutterstock ID ID: 222190471 By wk1003mike

    IBM protests JEDI cloud deal

    As the deadline to submit bids on the Pentagon's $10 billion, 10-year warfighter cloud deal draws near, IBM announced a legal protest.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.