The CISO Rises to the Top

Information Security
The CISO Rises to the Top

By Teri Robinson

Practically a foreign concept a decade ago, the Chief Information Security Officer (CISO) has become a solid fixture within federal government and has gained clout as agencies have made information security a top priority.

Experts contend that a critical part of any agency security policy and strategy is to have someone in charge of implementing, monitoring and ensuring that policy is carried out. And agencies have taken that to heart. A survey by the 1105 Government Information Group last year found that 87 percent of the respondents had a CISO or CISO-equivalent in place.

But unfortunately, if the CISO position wasn’t simply a figurehead, it was close. Most lacked the authority to even gather information critical to security and compliance from deep within in the ranks of their own agencies. But that has changed…significantly.

In a report published last year by (ISC)2, “A View from the Front Line: The State of Cybersecurity from the federal Chief Information Security Officer’s Perspective,” 90 percent of the respondents said that they had significant influence on their agency’s security strategy.

“The CISOs’ responses clearly demonstrate that cybersecurity is evolving in terms of management priority,” said W. Hord Tipton, executive director of (ISC)2, an organization which educates and certifies security professionals. “Although CISOs are still facing organizational challenges, we view it as a positive sign that CISOs feel they are being listened to by senior management and that their recommendations are, for the most part, being considered and implemented. However, that has not always been the case in the past.”

CISOs reported in the survey that there were still an abundance of issues that agencies must address and over the past year, some of their needs have begun to be met.

For instance, (ISC)2 noted that CISOs “strongly favor(ed) a shift from compliance reporting to continuous monitoring, as well as the imposition of stricter security requirements during the acquisition of all major IT systems.” And in May of this year, the U.S. House of Representatives moved to do just that by passing the National Defense Authorization Act. The legislation contains an amendment that would move agencies away from cumbersome paper-based compliance reports to continuous monitoring through a Web-based gateway.

CISOs in the (ISC)2 report also expressed the need for “more resources and even more senior buy-in than they’re currently getting to accomplish their mission.” The proposed FISMA overhaul in part addresses the latter, giving CISOs greater latitude in gathering data from different departments and bureaus within their agencies.

And, of course, acquiring the proper resources, be it technology or people, has been a struggle against a tight budget for most CISOs. In the 1105 Government Information Group survey, 50 percent of the respondents said they expected to hire security personnel in the next 12 months. But many said they would turn to contract workers. The (ISC)2 respondents noted that they seek workers with “experience, professional certifications and communication skills.”

The Comprehensive National Cybersecurity Initiative 2 (CNCI2) announced this spring will focus on training and education and the creation of  educational tracks and degree programs to turn out security professionals. In addition, a number of measures in that initiative will coordinate and manage “the federal enterprise network as a single network enterprise.” By understanding and coordinating security initiatives across agencies, the government can identify the points of vulnerability, recommend where agencies need to take action and stimulate the use of shared resources.

Most CISOs in the (ISC)2 survey claimed to be satisfied with their jobs. But while they note that they are more influential than ever before, they have a long way to go. According to the study, “76 percent of CISOs report to the agency Chief Information Officer, but none to the Chief Operating Officer, the Chief Financial Officer or the Chief Risk Officer, which CISOs believe limits their overall effectiveness.”