Obama Should Scrap Cybersecurity Czar, Analyst Says
Gartner expert says president's plan to protect nation's computing infrastructure won't work.
As President Obama prepares to name a cybersecurity czar, an influential tech analyst said the White House should create a federal chief information security office instead.
The news comes amid InformationWeek's exclusive report Thursday that hackers have infiltrated servers operated by the U.S. Army.
"The bottom line is that increasing the national cybersecurity is an operations issue," John Pescatore, VP and analyst at Gartner, said in a statement. "The problems are well-understood, solutions are known, and gaps have been identified. Organizations with high security in private industry and government almost invariably have a strong security office and a chief information security officer (CISO), and that should be the model that the U.S. government follows."
The federal government should move into a more active role to improve security in cyberspace instead of focusing on strategies that increase spending or visibility for security, according to Pescatore.
"The evolution and technological underpinnings of the Internet are very different from those of telecommunications or any other previous infrastructure," he said. "Different approaches are required to ensure reliable and secure services in cyberspace than on old telecom networks, and the development of public policy has to proceed very differently, as well."
He said that the government will not succeed if it attempts to force top-down solutions on a peer-to-peer problem. National cybersecurity strategy should not be based on government control over the Internet, mandates, or increased reporting of attacks. Instead, it should focus on using policy and buying power to eliminate vulnerabilities, Pescatore said.
He said an effective strategy should look more like a hurricane preparedness plan or a global warming policy than mandates on the telecommunications, banking, and automotive industries.
Federal leaders should harmonize federal security standards with commercials equivalent to eliminate duplication, he said.
"Proactive harmonization of security standards driven by the federal government will be much more effective than leaving states to define their own widely varying levels of approaches for increasing the protection of citizen data and critical infrastructures," Pescatore said.
They should also use spending power to ensure that government software procurements require application vulnerability testing, evaluate existing regulations and step up enforcement, focus on preventing attacks rather than combining efforts to prevent and detect them, and reward best practices, Pescatore said.
"Most of the publicity tends to go toward the government agencies with low Federal Information Security Management Act scores in annual audits, and currently there seems to be little or no effort to spread best practices across agencies," he explained in a report on national cybersecurity strategy (purchase required).
InformationWeek Analytics has published an independent analysis on what executives really think about security. Download the report here (registration required).
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Digital Transformation Myths & TruthsTransformation is on every IT organization's to-do list, but effectively transforming IT means a major shift in technology as well as business models and culture. In this IT Trend Report, we examine some of the misconceptions of digital transformation and look at steps you can take to succeed technically and culturally.