CISOs: Trusting Tech, Not One Class of People
As I glanced through the (ISC)2 report entitled The 2010 State of Cybersecurity from the Federal CISO's Perspective, I'm struck that the federal chief information security officers interviewed for the survey have more trust in technology than people, or at least one class of people: lawmakers.
Well over half of the CISOs surveyed responded that they were dissatisfied with Congress; that compares with 83 percent who said they were somewhat satisfied or very satisfied with the Einstein intrusion detection and prevention systems and Trusted Internet Connection initiative, known as TIC.
The fact that this group, or any group, is dissatisfied with Congress shouldn't be surprising. In fact, CISOs have a less jaundice view of Congress than the general public - the website Real Clear Politics averaged recent surveys that showed that 71 percent of the public express dissatisfaction with Congress.
CISOs lack of confidence in federal legislators, according to the report's authors, is based on Congress' lack of understanding of their mission and inadequate funding of IT security mission. I think there's another reason: the inability of Congress to act on IT security matters. In the nearly year-and-a-half life of the 111th Congress, only one significant cybersecurity bill has been approved by one house, the Cybersecurity Enhancement Act of 2010, which passed the House in February. Another bill - the, Cybersecurity Act of 2010, better known as the Rockefeller-Snowe Bill - cleared the Senate Committee Commerce, Science and Technology Committee in March, but has yet to be scheduled for debate in the Senate.
The Rockefeller-Snowe bill - as well as some others measures in various congressional committees, but not the House-passed bill - address how IT security should be governed, though getting a consensus on that point could be a hang up in getting a significant cybersecurity legislation enacted this year. A number of lawmakers feel that the government should establish a White House cyberspace office, with its Senate-confirmed director leading federal cybersecurity endeavors. But some legislators - most notably, Sen. Susan Collins, R.-Maine - favor placing federal cybersecurity governance, at least for civilian agencies, in the Department of Homeland Security, and the latest known version of the Federal Information Security Management Act reform bill - the United States Information and Communications Enhancement Act, sponsored by Sen. Tom Carper, D.-Del. - does just that.
A few months back, experts who closely follow Congress said enactment of a major cybersecurity bill this session was 50-50 at best. Those odds diminish as the November elections approach, and lawmakers' focus shift from legislating to getting reelected.
The fact that CISOs show more faith in technology, at least two highly visible federal projects, shouldn't be surprising, either. The Einstein initiatives and TIC, which will cut to fewer than 100 from thousands, the number of the federal government's Internet access points, are technological solutions to the problem of allowing nefarious actors from gaining admission to government computers. Government policymakers have placed a lot of faith in those projects, and for now, it seems they have the support of the federal managers in the trenches charged with carrying them out.
But not all technologies have received the universal blessing of federal CISOs. The (ISC)2 survey reveals that 72 percent of CISO say their agencies have yet to adopt cloud computing, citing high levels of uncertainty around being able to replicate IT security policies in the cloud (45 percent) and data loss prevention (21 percent).
Still among those who see promise in cloud computing, 41 percent see the potential for improving security, particularly through identification-based network solutions that employ role-based access controls; 37 percent cited the cloud as enabling a strategic architectures.
The CISOs who report that their agencies employ cloud computing services for mission delivery say they have enforced security policies in place, which the authors interpret as meaning that some useful templates could be used as reference for other CISOs seeking to explore cloud computing.
All this attention to cybersecurity is being reflected on how CISOs see their jobs. A clear majority of CISOs see their responsibilities becoming more political/policy oriented and managerial; only one-quarter feel they're becoming more technical.
This is a trend that most CISOs' bosses - chief information officers - have seen over the past couple of decades. As technology becomes more infused with the operations of any business - including government - the more technology leaders must address non-technology matters. And, as IT security pervades the operations of business and government, CISO must become more business and politically savvy. Just ask John Streufert, the State Department deputy CIO for security, who is the epitome of the new CISOs.