Concerns grow over security group

More participants of a new public/private council of security officers are distancing themselves from the initiative amid worries that it creates the perception that a select group of vendors are paying to have undue influence on public policy.

Vance Hitch, the Justice Department's chief information officer, said he has concerns about the structure of the Chief Information Security Officers (CISO) Exchange, a for-profit venture. Hitch is listed as co-chairman of the advisory board for the exchange, which was organized by O'Keeffe and Company, a Northern Virginia public relations and marketing firm.

"We want to move forward with something" that will allow security officers from government and industry to exchange best practices, Hitch said today. "But we are uncomfortable with the form that the original proposed exchange has."

Hitch said his office didn't investigate how the exchange would be structured when he was first approached to join the initiative. O'Keeffe officials have publicly touted the CIO Council as a co-founder of the exchange. However, Hitch said his involvement does not mean that the CIO Council is sponsoring the exchange.

And one industry executive originally listed as a participant says he won't work with the group. Austin Yerks, Computer Sciences Corp.'s president of federal sector business development, will have no involvement with the exchange, a CSC spokeswoman said. O'Keeffe’s statement last week that Yerks is one of two paying industry members of the advisory board was premature, the spokeswoman added.

Those announcements come days after Rep. Tom Davis, (R-Va.) announced he is withdrawing from any official participation in the exchange. O'Keeffe had pointed to Davis, chairman of the House Government Reform Committee, as an exchange sponsor. "They jumped the gun in putting us out front," Davis said today after speaking at Federal Sources' annual Outlook conference.

"The imprint of having this being exclusively public on a pay-to-play, that’s something we’re uncomfortable with," he said.

Davis did praise the general idea of a public/private CISO forum. "It makes it a lot easier when the government is buying products and when you're selling products to understand the different operations," he told the event audience. "We stand behind it, and we hope it's going to be a successful program."

Representatives of the Internal Revenue Service and the Department of Housing and Urban Development, which have federal officials on the 12-person CISO Exchange board, referred calls to O’Keeffe.

Government officials have approached the Industry Advisory Council about the possibility of creating a CISO forum, said Bob Woods, IAC’s chairman. "We have done nothing to seek this. Two days ago, I barely knew what was going on," Woods said.

If the board approves IAC involvement, its officials would examine whether anything can be salvaged from O'Keeffe’s efforts, Woods said.

"I think honestly they tried their best to do something and put it together in a fairly commercial model that has not worked out," Woods said. "I would not be opposed certainly to them being involved, because they've put some effort into it, and they ought to be recognized for it."

But IAC has made no commitments, Woods said.

The Information Technology Association of America has not been contacted about the exchange, said Greg Garcia, ITAA’s vice president of information security programs and policy. "It's something we're certainly willing to talk about," he said.

A major cause of the controversy surrounding the CISO Exchange is the perception of an inappropriate link between the group's paying members and government policy-makers. Full industry participation in the exchange costs $75,000 and is limited to six system integrator representatives. Other industry officials can join for $25,000 or $5,000, with varying levels of access and authority over exchange efforts.

An annual report on federal information security priorities and operational issues has been cited as a goal for the exchange. But some industry officials have said reports from a group that includes members of Davis' staff and the CIO Council could be incorrectly perceived to be government policy documents.

A future CISO Exchange may not produce an annual report, Hitch said. "Only CIOs have the authority to make policy like [information technology] security," he said.

Under one scenario, ideas presented at exchange meetings would be reviewed and collected for publication, Hitch said. "I'm not saying my name will be on it," he said. "We're exploring how we can make the concept work in a form that will promote openness and accessibility."

Steve O'Keeffe, executive director of the CISO Exchange and principal of O'Keeffe, has described the exchange as no different than other events for government officials that industry representatives pay to attend. He criticized Federal Computer Week's objectivity because FCW's parent, FCW Media Group, sponsors industry events throughout the year. FCW's competitors also host such events.