Is an emphasis on compliance hampering IT security?

Leo Scanlon, chief information security officer of the National Archives and Records Administration, has an information security question for federal CIOs: "Are you satisfied that where you are is good enough? Do you understand the risk?"

Too often, he says, federal C-level officials do not know if their security is adequate because they do not understand the risks they face and what the risk tolerance of their agencies should be. And too often, they are content to remain that way.

The issue of understanding and managing IT risk takes on greater significance with the growing emphasis on automating security. Security professionals, system administrators and agency executives have been fighting a battle over IT security vs. regulatory compliance since the passage of the Federal Information Security Management Act of 2002. Critics of the act — or at least of how it has been implemented — say that an emphasis on grading agency performance based on compliance scores has undermined efforts to improve security. With the introduction of tools to monitor systems, respond to incidents and report on status, there is a chance to finally settle the battle in favor of security.

William Jackson covers cybersecurity for FCW's sister publication, GCN, where this piece first appeared. For more, see Jackson's CyberEye blog on GCN.com.

The question, said Scanlon, is "are we going to automate compliance or automate risk management?"

Speaking at cybersecurity conference hosted by (ISC)2, Scanlon said that FISMA was never intended to be about compliance. The opening paragraphs of the act spell out that its intent is to "provide a comprehensive framework for ensuring the effectiveness of information security controls," and ". . . provide effective governmentwide management and oversight of the related information security risks . . . ."

So why the emphasis on paperwork and reporting rather than managing risk over the last 11 years? Compliance is easier to measure. Reports from auditors and inspectors general have given congressional overseers an easy way to grade agencies, either with an A, B . . . F report card or a green-yellow-red dashboard.

The C-level executives who must report to Congress have embraced this. Their approach to IT security, Scanlon said, is, "get the IG off my back."

Al Seifert, CEO of MSB Cybersecurity and formerly security officer for the Defense Department's Global Command and Control System, called FISMA a "noble endeavor" that has not fulfilled its promise.

"We are not collecting the metrics we need to ensure that our security is working," he said. "Everybody fears the auditor."

Security automation still is rudimentary and focused on compliance reporting, Seifert said. But the technology exists to do better. The Homeland Security Department's Cyberscope reporting system and the growing list of commercial tools that support the Security Content Automation Protocol make it possible to focus on real risk rather than merely playing the compliance game.

Risk management ultimately is a business decision that must be made at the CIO or CEO level of an agency, not by the IT people in the security shop, Scanlon said. Because security is not perfect, the level of acceptable risk must be determined based on an agency's business and mission needs. Then it is up to the security people to manage that risk.