With D+ On Their Report Card, Federal Security Officers Try A Study Group
Government cybersecurity managers will form the CISO Exchange after another poor report on federal computer security.
The consistent failure of many federal agencies to secure their IT systems effectively has prompted government officials to create a new organization, to be funded by the private sector, to help federal chief information security officers improve cybersecurity.
The formation of the CISO Exchange, announced Wednesday, came as the House Government Reform Committee issued a federal computer-security report card in which the average grade for 2004 was a D+.
Federal CISOs need better guidance to comply with the 2002 law that requires agencies to secure their IT systems and networks. In a survey of one-quarter of federal CISOs, 70% say they want clarification of guidelines and 53% recommended that guidance be improved on the annual security-control tests conducted by agencies' inspectors general.
"It's not sufficient to keep admonishing these guys," says Stephen O'Keefe, the head of an IT public relations, research, and events firm, who will serve as the CISO group's executive. "We have to provide a forum where they can have a seat at the table, learn from others, and get feedback on ideas."
The creation of the CISO Exchange was announced by Rep. Tom Davis, the Virginia Republican who chairs the Government Reform Committee and the federal CIO Council, a congressionally mandated group of CIOs who represent major federal departments and agencies.
Unlike the CIO Council, the CISO Exchange will be an informal organization aimed at giving 117 federal departmental and agency CISOs a common voice. The exchange will be co-chaired by Justice Department CIO Van Hitch, who chairs the CIO Council's cybersecurity and privacy committee, and Government Reform Committee staff director Melissa Wojciak.
Davis, in a statement, said the exchange is patterned after other government efforts to cross-pollinate ideas and best practices between the private sector and government in order "to move our government to the top of the class in IT security." The CISO Exchange will hold quarterly education meetings as well as produce a report on federal IT security priorities and operations.
O'Keefe says 100% of CISO Exchange funding will come from business, mostly IT security companies, and not government coffers. No company has been asked to commit money to the venture, since O'Keefe says that CISO Exchange wanted to await the announcement of the group's formation before soliciting contributions. He says a number of companies have expressed interest in supporting the exchange, which doesn't yet have a budget.
Seven cabinet departments received a grade of F on their computer-security report card: Agriculture, Commerce, Energy, Health and Human Services, Homeland Security, Housing and Urban Development, and Veterans Affairs. The grades for Commerce and Veterans Affairs dropped from 2003 scores of C- and C, respectively.
The biggest jump in performance occurred at Transportation, which received an A- after getting a D+ in 2003. The Agency for International Development had the highest grade, an A+, up from a C- in 2003.
In the CISO survey, conducted by IT security-management provider Telos Corp., the vast majority of security officers said there was no correlation with the scorecard grades they received and government funding of IT security initiatives. "If there are no incentives for agencies to continue to comply with FISMA requirements," Telos chief security officer Richard Tracy says, "what's the point?"
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
IT Strategies to Conquer the CloudChances are your organization is adopting cloud computing in one way or another -- or in multiple ways. Understanding the skills you need and how cloud affects IT operations and networking will help you adapt.