'Silent' CISOs Take Stock of IT Security
Think of chief information security officers as silent types, diligent professionals who get the job done with little fanfare.
Nearly two dozen federal agency CISOs got a bit more expressive, of sorts, as they voiced their views about their jobs and federal government IT security as participants in a survey conducted last quarter by the IT security certification and training group (ISC)2, networking vendor Cisco and Government Futures, a Web 2.0 analysis and consulting firm.
Because of the small sample size, the responses by these CISOs - mostly from civilian agencies - can't necessarily be extrapolated to all government CISOs, but the responses seem reasonable to those who conducted the survey who they deal with regularly. With that proviso, you judge whether or not to believe the figures.
- External Attacks - 48 percent
- Insider Threat - 26 percent
- Software Vulnerabilities - 26 percent
About half the CISOs surveyed deemed data loss as their biggest concern from external attacks followed by exploiting software vulnerabilities and other intrusions.
Nearly all the CISOs want strong intrusion detection and prevention tools, with about 80 percent seeking strong authentication and encryption solutions.
Assessing Federal Hiring Posture
- Minimal - 39 percent
- Frozen - 22 percent
- Replacements Only - 22 percent
- Aggressive - 17 percent
Still, 48 percent of respondents say the economic crisis means it's easier to retain key personnel.
Three-quarters of the surveyed CISOs say that mandatory professional certification, as required under a Defense Department directive, should be extended across the government.
Characterize FISMA Compliance Process*
- Real but Uneven Improvement - 48 percent
- Paper Exercise with Little Upside - 24 percent
- Cost Exceeds Benefit - 19 percent
- A Great Success - 9 percent
* Federal Information Security Management Act of 2002
Changes Needed to the CNCI#
- More Money for Agency Security Problems - 76 percent
- More Emphasis on Authentication Tools - 62 percent
- Less Classification Around the Program - 57 percent
- More Access to Einstein Data - 52 percent
- Increased Product Testing - 43 percent
- More Private-Sector Involvement - 38 percent
# The Comprehensive National Cybersecurity Initiative, established last year by President Bush, is as a multi-pronged approach by the federal government to identify cyber threats, shore up telecommunications and cyber vulnerabilities, and respond to or proactively address entities that wish to steal or manipulate protected data on secure federal systems.
Envisioning Next Job
- Private Sector - 33 percent
- CIO - 24 percent
- Stay Put - 24 percent
- Too Busy to Plan - 19 percent