With D+ On Their Report Card, Federal Security Officers Try A Study Group
Government cybersecurity managers will form the CISO Exchange after another poor report on federal computer security.
The consistent failure of many federal agencies to secure their IT systems effectively has prompted government officials to create a new organization, to be funded by the private sector, to help federal chief information security officers improve cybersecurity.
The formation of the CISO Exchange, announced Wednesday, came as the House Government Reform Committee issued a federal computer-security report card in which the average grade for 2004 was a D+.
Federal CISOs need better guidance to comply with the 2002 law that requires agencies to secure their IT systems and networks. In a survey of one-quarter of federal CISOs, 70% say they want clarification of guidelines and 53% recommended that guidance be improved on the annual security-control tests conducted by agencies' inspectors general.
"It's not sufficient to keep admonishing these guys," says Stephen O'Keefe, the head of an IT public relations, research, and events firm, who will serve as the CISO group's executive. "We have to provide a forum where they can have a seat at the table, learn from others, and get feedback on ideas."
The creation of the CISO Exchange was announced by Rep. Tom Davis, the Virginia Republican who chairs the Government Reform Committee and the federal CIO Council, a congressionally mandated group of CIOs who represent major federal departments and agencies.
Unlike the CIO Council, the CISO Exchange will be an informal organization aimed at giving 117 federal departmental and agency CISOs a common voice. The exchange will be co-chaired by Justice Department CIO Van Hitch, who chairs the CIO Council's cybersecurity and privacy committee, and Government Reform Committee staff director Melissa Wojciak.
Davis, in a statement, said the exchange is patterned after other government efforts to cross-pollinate ideas and best practices between the private sector and government in order "to move our government to the top of the class in IT security." The CISO Exchange will hold quarterly education meetings as well as produce a report on federal IT security priorities and operations.
O'Keefe says 100% of CISO Exchange funding will come from business, mostly IT security companies, and not government coffers. No company has been asked to commit money to the venture, since O'Keefe says that CISO Exchange wanted to await the announcement of the group's formation before soliciting contributions. He says a number of companies have expressed interest in supporting the exchange, which doesn't yet have a budget.
Seven cabinet departments received a grade of F on their computer-security report card: Agriculture, Commerce, Energy, Health and Human Services, Homeland Security, Housing and Urban Development, and Veterans Affairs. The grades for Commerce and Veterans Affairs dropped from 2003 scores of C- and C, respectively.
The biggest jump in performance occurred at Transportation, which received an A- after getting a D+ in 2003. The Agency for International Development had the highest grade, an A+, up from a C- in 2003.
In the CISO survey, conducted by IT security-management provider Telos Corp., the vast majority of security officers said there was no correlation with the scorecard grades they received and government funding of IT security initiatives. "If there are no incentives for agencies to continue to comply with FISMA requirements," Telos chief security officer Richard Tracy says, "what's the point?"
2014 Next-Gen WAN SurveyWhile 68% say demand for WAN bandwidth will increase, just 15% are in the process of bringing new services or more capacity online now. For 26%, cost is the problem. Enter vendors from Aryaka to Cisco to Pertino, all looking to use cloud to transform how IT delivers wide-area connectivity.
The UC Infrastructure TrapWorries about subpar networks tanking unified communications programs could be valid: Thirty-one percent of respondents have rolled capabilities out to less than 10% of users vs. 21% delivering UC to 76% or more. Is low uptake a result of strained infrastructures delivering poor performance?
InformationWeek Tech Digest, Nov. 10, 2014Just 30% of respondents to our new survey say their companies are very or extremely effective at identifying critical data and analyzing it to make decisions, down from 42% in 2013. What gives?