informa
/
3 min read
article

Government, Not Vendors, Must Lead In Securing Federal IT

No doubt the IT security industry has a lot of knowledge to share with the federal government to help secure government IT systems and Web sites. With near-failure grades on IT security scorecards, the feds need the assistance.
No doubt the IT security industry has a lot of knowledge to share with the federal government to help secure government IT systems and Web sites. With near-failure grades on IT security scorecards, the feds need the assistance.One approached died last week when the federal CIO Council withdrew its support from the CISO Exchange, a privately run group chaired ostensibly by senior government IT officials. The way the CISO Exchange worked, six companies willing to fork over $75,000 could join the Exchange's exclusive advisory board comprised of leading federal CIOs and chief information security officers. Other vendors, with smaller contributions, would have had some, but more limited access to these officials. The arrangement smacked of pay to play, and the Exchange's initial cheerleader in Congress, House Government Reform Committee chairman Tom Davis, vacated his earlier, enthusiastic endorsement.

There's talk in Washington of having the Industry Advisory Council to sponsor a group to help the federal government in securing its IT. As its name suggests, the IAC is an industry-run organization that mingles frequently with senior government IT officials at events and retreats funded by the IT industry. Indeed, many of IAC's members are former government IT executives. It's the way Washington works, the revolving door between business and government. Unlike the CIO Exchange, no individual company needs to pony up extra money to gain special access to government IT officials. In Washington, that's a big difference.

Still, as raised in an earlier blog, having a private organization charged with leading the fight to secure government IT systems isn't the best approach. If government IT security is so important-and it is-then money to fund research to generate better ideas should come from government coffers. Otherwise, the appearance of a conflict of interest exists. Regardless of their good intentions, the specter of vendors more interested in selling products and services than offering unbiased advice permeates such an environment.

Though she hasn't ruled out an association with the likes of the IAC, the government's top IT executive Karen Evans last week called on the CIO Council's best-practices committee to develop ways to improve weak cybersecurity scores among federal departments and agencies. Evans, as administrator of IT and E-government in the White House Office of Management and Budget serves who chairs of the CIO Council, is onto something. Whether it's the best-practices committee or some other panel on the CIO Council, that's where efforts to improve IT security through collaborations inside and outside of government belong. There's nothing stopping the CIO Council from seeking advice from the private sector, including the IAC. Retaining control within the CIO Council means government officials will call the shots, and not those who could reap benefits beyond that of a more secure federal IT system.