Survey shows CISOs playing larger role at agencies

Federal chief information security officers say they play a larger role in securing their agencies' networks but still face challenges in protecting federal networks, according to a survey released on Thursday.

Ninety percent of CISOs surveyed by the International Information Systems Security Certification Consortium (ISC)² said they have had a positive impact on cybersecurity at their agencies.

"I think that's really important, five to seven years ago you wouldn't have gotten the same response," said Lynn McNulty, director of government affairs for (ISC)².

"The CISOs' responses clearly demonstrate that cybersecurity is evolving in terms of management priority," said W. Hord Tipton, executive director of (ISC)². "Although CISOs are still facing organizational challenges, we view it as a positive sign that CISOs feel they are being listened to by senior management and that their recommendations are, for the most part, being considered and implemented. However, that has not always been the case in the past."

Nearly half the respondents said external data theft is now the biggest risk to the federal government, followed by insider threats and software vulnerabilities. CISOs were split when asked to rate progress on safeguarding agency information and systems, with half saying the government is "turning the corner" and the other half saying their agencies are "not getting ahead of the attackers."

McNulty said the more optimistic group pointed to programs such as the Office of Management and Budget's Trusted Internet Connection and Federal Desktop Core Configuration initiatives as evidence of the government's progress.

"I would think some of those people who responded positively were the ones who had been in the middle of successful implementations of those programs and are starting to see a difference in the number of incidents referred up to them," he said. Some of the less optimistic respondents, McNulty noted, likely were from agencies lagging behind on those initiatives.

At a Senate Homeland Security and Government Affairs Committee hearing on Tuesday, several information security professionals said the government is rapidly falling behind hackers, enemy states and other organizations seeking to penetrate its systems. Alan Paller, director of research at the SANS Institute, called federal cybersecurity defenses "childlike."

"Many operators feel still that they're outgunned," said John Stewart, vice president and chief security officer at Cisco Systems. "Security people feel like they are constantly playing defense, catch-up. It's never good enough, you face 1,000 attempts [to penetrate your systems] and you have to defend them all. Only one has to succeed."

Stewart said constant vigilance is essential for information security officers, a point of view supported by the (ISC)² survey, in which CISOs strongly favored a shift from compliance reporting under the 2002 Federal Information Security Management Act to continuous monitoring of IT systems, including intrusion detection and stronger prevention mechanisms.

Sen. Tom Carper, D-Del., introduced a bill on Tuesday to rewrite portions of FISMA to incorporate many recommendations from CISOs, such as increasing emphasis on real-time monitoring and requiring penetration testing of IT systems.

McNulty said many CISOs generally viewed FISMA positively because it gave them more visibility and established baseline requirements that agencies were forced to comply with, including independent reviews by agency inspectors general to verify the information chief information officers reported.

"But I think they came back and said the effort required to produce these reports was starting to result in diminishing returns," McNulty said.

The survey also showed that 76 percent of CISOs reported to their agency CIO as required by FISMA. But none reported to their chief financial or chief operations officer, which respondents said limited their overall effectiveness.

"The CIO community has been active in keeping CISOs in their component of the organization," McNulty said. "CISOs see what they're doing as strategic enough that they need to have unfettered access to senior levels of government."