The State of Security

Priority Report: Data Center Solutions

By Cara Garretson

A handful of strategic data-center security technologies are working to help Chief Information Security Officers (CISOs) at federal agencies keep threats at bay. However, their ability to defend agency networks would be improved with changes to organizational structures and the adoption of a risk-management culture. 

Federal Chief Information Security Officers (CISO)s are making headway in the battle for cybersecurity, as protection from threats both internal and external becomes a top priority across agency leadership. However, while there are a number of data-center security technologies that CISOs feel are indispensible for their jobs, these executives also face organizational challenges and budgetary limits that keep them from achieving their goals. And because new attacks can spring up at any time, CISOs must constantly scan the threat horizon and be prepared to defend their organizations against the unknown.

The CISO Perspective
To get a sense for how federal agency CISOs are coping with threats and other security issues, the International Information Systems Security Certification Consortium Inc. (ISC)2, Government Futures, and Cisco conducted a study in 2009 of forty federal agency and bureau-level CISOs. Called The State of Cybersecurity from the Federal CISO’s Perspective, the report summarizes how CISOs feel they are faring in the battle for cybersecurity, and makes some recommendations for improvement.

In general, survey respondents said they are feeling “empowered,” since agency management is paying more attention to cybersecurity than in the past.

“The CISOs’ responses clearly demonstrate that cybersecurity is evolving in terms of management priority,” said W. Hord Tipton, executive director of (ISC)2. “Although CISOs are still facing organizational challenges, we view it as a positive sign that CISOs feel they are being listened to by senior management and that their recommendations are, for the most part, being considered and implemented.”

Still, half of the respondents said while they are making progress to protect their agencies, they’re still “not getting ahead of the attackers,” according to the survey. The other half answered that they believe they are “turning the corner” in the battle for cybersecurity.

When it comes to top concerns, 48 percent of federal CISOs said they are most worried by external threats, due to the potential for data loss and exploits. Tied for second place are insider threats and software vulnerabilities, at 26 percent each.

Top Five for Security
As concern over external threats increases, so does the dependency that CISOs place on technologies to help them protect their perimeters, safeguard sensitive information, and prevent unauthorized access to data and resources. According to the survey, CISOs highlighted the top five data-center technologies that are most useful in combating threats:

* Intrusion detection systems/intrusion prevention systems

* Authentication

*Encryption

*Better software

*Quality product testing

Despite the advances in security technology, there are internal issues that CISOs are grappling with in the fight to protect their networks. Improving agency governance is another priority among CISOs, which includes “…getting greater buy-in from agency leadership, eliminating security stove pipes, developing sound metrics, improving IT inventory, and implementing a risk management program,” according to the survey. Compliance is another concern for respondents; in particular establishing better relations with the Inspector General in their agencies and achieving certification and accreditation goals, they said.

On the personnel front, CISOs said that retaining key security staff has been easier because of the economic crisis. As respondents look ahead to hiring in the future, they say they will look for candidates with the right experience, communications skills, professional certifications, and security clearances.

CISOs responding to the survey say there are a number of changes that federal agencies could make to how they approach cybersecurity. First, the emphasis should move from compliance reporting – which takes a snapshot of compliance levels at a certain point in time – to risk management and continuous monitoring for threats, since focusing on defending from attacks should take priority over proving compliance. The respondents also said that strict security requirements should be enforced whenever major IT systems are acquired by an agency.