Federal CISOs: In Good StandingInfluence Within Agencies Seen Rising
Eight of 10 federal government departmental or agency chief information security officers feel they have had a significant impact or influence on the security posture of their organizations, according to a survey conducted last quarter and released Thursday by the IT security certification and training group (ISC)2, networking vendor Cisco and Government Futures, a Web 2.0 analysis and consulting firm.
That wouldn't have been the case five years ago, says Lynn McNulty, (ISC)2 director of government affairs and a former State Department information security officer who help conduct the survey. "They feel empowered," he says. "They are making a difference and making a contribution to the security posture of their respective organizations."
McNulty sees the shift in the perceived and real influence of CISOs occurring as the impact of the Federal Information Security Management Act of 2002 began to be felt within federal agencies about a half decade ago.
Still, the recognition of and their satisfaction over the job CISOs perform won't necessarily mean translate into an increase in their influence or power to the level of chief information officers, as some CISOs sought, though new legislation to reform FISMA gives these IT security officials greater responsibilities.
The United States Information and Communications Enhancement Act, or U.S. ICE, introduced this week by Sen. Tom Carper, D.-Del., lacks two essential elements that could strengthen the CISO's position within government: (1) Have CISOs report to either the secretary, director or chief operating officer of their departments or agencies, and not the CIO, and (2) establish a Federal CISO Council, a provision that was incorporated in similar legislation introduced by Carper last year but never enacted.
Among survey respondents, three-quarters report to CIOs with another 10 percent to deputy CIOs.
Federal CIOs have flexed their collective muscles in persuading Congress, at least for now, to have the CISOs continue to report to agency CIOs, reasoning that security is a vital component of their job. Advocates of having CISOs report up the chain say security is so crucial for agencies to function that those responsible for securing IT should report to those with the overall responsibilities of the organization.
"A lot of CISOs believe the higher they report to, the more effective they," McNulty says, adding that "they enjoy the kind of visibility that comes along with reporting to the chief operating officer or somebody else higher up in the bureaucracy. We're all looking for impact, and people believe that you get it if you report to somebody the higher up in the bureaucracy."
Carper, in U.S. ICE, jettisoned the CISO Council idea because the matters the proposed panel would have tackled have been absorbed by a Federal CIO Council committee on IT security, co-chaired by Justice CIO Vance Hitch and Navy CIO Robert Carey. Carey, in an interview with GovInfoSecurity.com, points out that existing law assigns agency heads and the CIOs ultimate responsibility for IT security. In addition, he says, the CIO Council's IT security panel has a number of CISOs as key participants.
But McNulty sees the failure to create the CISO Council diminishing the role of CISOs. "I'm always looking for people in the security function to be given some latitude and have some independence of the CIO," he says. "I thought it was potentially a step backward."
Nonetheless, the role of the CISO will strengthen under Carper's bill if enacted as written. U.S. ICE delineates many more responsibilities for the CISO than did FISMA - indeed, the new bill formally designates the job as CISO vs. the more generic "a senior agency information security officer" referred to in FISMA. For instance, U.S. ICE tasks CISOs to coordinate their agencies' policies with the security operation centers operated by U.S.-CERT, the FBI and the Strategic Command's Joint Task Force-Global Network Operations, among others.
Under U.S. ICE, CISOs will continue to grow their influence, but they'll likely not be at center stage as some hoped, but off in the wings helping to direct the securing of government IT.