The Public Eye with Eric Chabrow

'Silent' CISOs Take Stock of IT Security

'Silent' CISOs Take Stock of IT Security

Think of chief information security officers as silent types, diligent professionals who get the job done with little fanfare.

Nearly two dozen federal agency CISOs got a bit more expressive, of sorts, as they voiced their views about their jobs and federal government IT security as participants in a survey conducted last quarter by the IT security certification and training group (ISC)2, networking vendor Cisco and Government Futures, a Web 2.0 analysis and consulting firm.

Because of the small sample size, the responses by these CISOs - mostly from civilian agencies - can't necessarily be extrapolated to all government CISOs, but the responses seem reasonable to those who conducted the survey who they deal with regularly. With that proviso, you judge whether or not to believe the figures.

Threat Priorities

  • External Attacks - 48 percent
  • Insider Threat - 26 percent
  • Software Vulnerabilities - 26 percent

About half the CISOs surveyed deemed data loss as their biggest concern from external attacks followed by exploiting software vulnerabilities and other intrusions.

Nearly all the CISOs want strong intrusion detection and prevention tools, with about 80 percent seeking strong authentication and encryption solutions.

Assessing Federal Hiring Posture

  • Minimal - 39 percent
  • Frozen - 22 percent
  • Replacements Only - 22 percent
  • Aggressive - 17 percent

Still, 48 percent of respondents say the economic crisis means it's easier to retain key personnel.

Three-quarters of the surveyed CISOs say that mandatory professional certification, as required under a Defense Department directive, should be extended across the government.

Characterize FISMA Compliance Process*

  • Real but Uneven Improvement - 48 percent
  • Paper Exercise with Little Upside - 24 percent
  • Cost Exceeds Benefit - 19 percent
  • A Great Success - 9 percent

* Federal Information Security Management Act of 2002

Changes Needed to the CNCI#

  • More Money for Agency Security Problems - 76 percent
  • More Emphasis on Authentication Tools - 62 percent
  • Less Classification Around the Program - 57 percent
  • More Access to Einstein Data - 52 percent
  • Increased Product Testing - 43 percent
  • More Private-Sector Involvement - 38 percent

# The Comprehensive National Cybersecurity Initiative, established last year by President Bush, is as a multi-pronged approach by the federal government to identify cyber threats, shore up telecommunications and cyber vulnerabilities, and respond to or proactively address entities that wish to steal or manipulate protected data on secure federal systems.

Envisioning Next Job

  • Private Sector - 33 percent
  • CIO - 24 percent
  • Stay Put - 24 percent
  • Too Busy to Plan - 19 percent


About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.