Unshackling the CISO from the CIOCISOs, CIOs Priorities Don't Necessarily Mesh
Let's acknowledge a counterargument up front: if federal law unshackled the CISO from the CIO's chain of command, would information security across the federal government be appreciably improved? Could it possibly be any worse than it is now?
Various drafts of new cybersecurity legislation have addressed the subject over the past year. In the Senate, S. 3480 from the Homeland Security and Governmental Affairs Committee requires the head of the agency - the secretary or the administrator, for example - to delegate to the CISO the authority and budget necessary to ensure and enforce compliance with federal security requirements. [Noteworthy is the word "enforce," which was missing from FISMA and carries significant authority for the individual in this position]
By subordinating the CISO to the CIO, Congress may have missed the opportunity to create a healthy tension between information technology and information security.
The mere fact that congressional concern extends to the point where the secretary or administrator will be required to appoint the CISO, and the CISO will have the power to enforce compliance clearly demonstrates that Congress does not believe the current approach works. Rather, Congress views the CIO as part of the problem.
Perhaps Congress has rightfully concluded that no CISO will be allowed to give their unvarnished opinion of the true security posture of the agency's enterprise as long as the top official responsible for IT does not wish that opinion to be revealed. Under the current structure, the CIO is free to raid the security budget to fund any other priority, the CIO may feel inclined to overlook a powerful peer's security deficiencies or the CIO may disregard security recommendations that interfere with 'really neat' functionality. By placing the CIO in a position of superiority over the CISO, the CISO is marching to the CIO's orders and working off the CIO's list of priorities, not to mention attempting to receive the performance bonus that the CIO must approve. If that's the situation that FISMA intended, then Congress should simply have given the security job, and the corresponding accountability, to the CIO. In a way, that's what Congress did.
What the congressional staffs all seem to agree upon, and what they are trying to empower, is a single qualified and competent individual who has the authority and accountability to improve and manage the security of the agency's enterprise. That individual is not the CIO, nor should that individual report to the CIO. In commercial industry, there are many organizational counter examples, including the CISO reporting to the chief security officer, chief financial officer, chief risk officer, or directly to the chief executive officer. For that matter, the risk executive function has not received appropriate attention in the executive branch. Each agency has a responsibility to evaluate and manage risk to its mission on a continuous basis, irrespective of risk source - financial, legal, physical, infrastructure, political, personnel, information and so on - so why not reposition the CISO under a risk executive?
FISMA was an attempt to improve information security in the federal government. However, by subordinating the CISO to the CIO, Congress may have missed the opportunity to create a healthy tension between information technology and information security. If risk-based and cost-effective security is to be achieved across the federal enterprise, would it not make better sense to empower and resource the CISO separate from the confines of the CIO's competing priorities?
Bruce Brody, chief executive officer of the IT security consultancy New Cyber Partners, is the former chief information security officer at the departments of Energy and Veterans Affairs.