Survey: CISOs dish on FISMA

More than half of federal chief information security officers say they feel empowered in their jobs, according to a recent survey. On the other hand, more than 40 percent said they do not see enough benefit to justify the work required by the Federal Information Security Management Act.

The findings come from a poll that Cisco, Government Futures and (ISC)2 conducted of a federal agency CISOs. The results represent the responses of 21 CISOs to a set of questions that were answered over the phone, in person or online.

Lynn McNulty, director of government affairs for (ISC)2 and a former federal information security program manager, said he was pleased to see that CISOs felt empowered and that management was paying attention. McNulty conducted the interviews for the survey.

“My feeling is that if we had taken the survey five years ago that kind of overwhelming response that they were feeling empowered would not have been there,” McNulty said. “They would have said that they were sort of marginalized — either ignored or having only a minimal difference in the agencies that they work in.”

According to the survey, 57 percent of CISOs surveyed said they thought they could significantly impact the security posture of their department or agency.

McNulty said the desire to move toward continuous monitoring — and away from the paper-based monitoring currently used to comply with FISMA — squares with cybersecurity legislation introduced April 28 by Sen. Thomas Carper (D-Del). The legislation would give CISOs the authority to ensure that agencies can — on an automated and continuous basis — detect, report and mitigate cyber incidents.

According to the survey, just 9 percent of the respondents said they considered the FISMA process “a great success,” with 24 percent saying it was a “paper exercise with little upside.” Meanwhile, 19 percent said the “costs exceed benefits,” of the FISMA process and 48 percent said they saw FISMA as representing “real but uneven improvement.”

The report also said many CISOs were frustrated with the George W. Bush administration’s Comprehensive National Cybersecurity Initiative because it was seen as having too much of an external focus and not paying enough attention to long-standing security problems.

In addition, 48 percent of the CISOs surveyed said they saw external threats as the biggest threat with 26 percent each citing insider threats and software vulnerabilities as most daunting.

Three quarters of the CISOs surveyed said the mandatory professional certification, as required by a Defense Department Directive 8570.1, should be extended to cover the entire government.

McNulty said most of the responses were from civilian agency CISOs and the questioners felt the survey’s results were statistically valid. The report’s results were anonymous, and it was the first time the survey had been conducted. The results were released April 30.

Federal CISOs feel empowered, but wish they had more resources and support to do their jobs, according to findings of a new survey of federal CISOs.

The findings come from a poll that Cisco, Government Futures and (ISC)2 conducted of a federal agency CISOs. The results represent the responses of 21 CISOs to a set of questions that were answered over the phone, in person or online.

Lynn McNulty, director of government affairs for (ISC)2 and a former federal information security program manager, said he was pleased to see that CISOs felt empowered and that management was paying attention. McNulty conducted the interviews for the survey.

“My feeling is that if we had taken the survey five years ago that kind of overwhelming response that they were feeling empowered would not have been there,” McNulty said. “They would have said that they were sort of marginalized — either ignored or having only a minimal difference in the agencies that they work in.”

According to the survey, 57 percent of CISOs surveyed said they thought they could significantly impact the security posture of their department or agency.

McNulty said the desire to move towards continuous monitoring and away from the paper-based monitoring currently used to comply with the Federal Information Security Management Act (FISMA) squares with cybersecurity legislation introduced April 28 by Sen. Thomas Carper (D-Del). The legislation would give chief information security officers the authority to ensure that agencies can — on an automated and continuous basis — detect, report and mitigate cyber incidents.

According to the survey, just 9 percent of the respondents said they considered the FISMA process “a great success” with 24 percent saying it was a “paper exercise with little upside.” Meanwhile, 19 percent said the “costs exceed benefits,” of the FISMA process and 48 percent said they saw FISMA as representing “real but uneven improvement.”

The report also said many CISOs were frustrated with the George W. Bush administration’s Comprehensive National Cybersecurity Initiative because it was seen as having too much of an external focus and not paying enough attention to long-standing security problems.

In addition, 48 percent of the CISOs surveyed said they saw external threats as the biggest threat, with 26 percent each citing insider threats and software vulnerabilities as most daunting.

Three quarters of the CISOs surveyed said the mandatory professional certification, as required by a Defense Department Directive 8570.1, should be extended to cover the entire government.

McNulty said most of the responses were from civilian agency CISOs and the questioners felt the survey’s results were statistically valid. The report’s results were anonymous and it was the first time the survey had been conducted. The results were released April 30.