[ISN] Cybersecurity chiefs keep a low profile

From: InfoSec News (alerts@private)
Date: Thu Sep 27 2007 - 23:18:49 PDT


http://www.govexec.com/story_page.cfm?articleid=38145

By Kellie Lunney  
September 27, 2007

Editor's note: The following story appears in the Sept. 15 issue of 
Government Executive Magazine, which focuses on the challenges facing 
C-title federal executives. For a directory of more than 500 key 
decision makers in federal finance, information technology, procurement 
and personnel, click here [1].

It's a job with little authority and no budget of its own. Few people 
are aware of the post, or its role in safeguarding millions of 
Americans' personal information and ensuring the continuity of 
government. Not every federal agency even has one. When chief 
information security officers do get attention, it's usually because 
someone lost or swiped a laptop. In a government populated with 
countless thankless jobs, the challenges facing cybersecurity managers 
seem especially daunting.

"Chief information security officers are like offensive linemen in 
football," says John Pescatore, vice president of the information 
security practice at Gartner Inc., an IT research and advisory company 
in Stamford, Conn. "You only know their name when they screw up."

Despite their relative obscurity when all is well, federal information 
security chiefs have been around in some capacity for the last decade. 
But they didn't get an official job description until Congress passed 
the 2002 Federal Information Security Management Act, tasking the Office 
of Management and Budget and the National Institute of Standards and 
Technology with honchoing the effort. CISOs report to agency chief 
information officers, whose top priority these days also is 
cybersecurity. So why do agencies need CISOs?

William J. Hunteman Jr., associate chief information officer for 
cybersecurity at the Energy Department, says the group "provides the 
overall leadership, strategic planning and vision for an effective 
cybersecurity program in the particular organization they are in."

Hunteman, who has worked in cybersecurity at Energy for two decades and 
has been CISO for the past 16 months, likens the job to sales. "One of 
the big things CISOs don't get is that the job is a lot of marketing, 
selling if you will, of cybersecurity within the organization."

CIOs, on the other hand, have more than information security to pitch; 
they are responsible for figuring out how entire computer networks 
relate to the department's overall IT and business structures.

"They really are two different jobs," says Michael F. Brown, director of 
the Office of Information Systems Security at the Federal Aviation 
Administration and former CIO for the Army National Guard.

Some argue that CISOs can end up spending more time on paperwork than on 
actual cybersecurity. "In recent years, the paperwork load has become so 
onerous that many operational units have hired their own staff to deal 
with the paperwork so the unit can continue to focus on producing 
business results," says Andy Boots.

Now retired, Boots was CISO at the Education Department's Federal 
Student Aid and the Treasury Department's Office of the Comptroller of 
the Currency. "In many organizations, CISOs now preside over their own 
shadow organizations, producing reports on demand but otherwise making 
no relevant impact on the organization," he says.

CISOs interviewed for this story say they work closely with CIOs, but 
the latter tend to eclipse their security chiefs, if only because of 
their elevated status in the reporting chain. "The CISO is a fairly new 
role, and it does not control the purse strings," says Gartner's 
Pescatore. "It is often just the bully pulpit. It's hard for CISOs to 
change things."


Errant Employees

It's also difficult for CISOs to control errant employees. Several 
highly publicized incidents involving lost or stolen computers, hard 
drives and other technology containing sensitive data over the last few 
years have made the government look inept and bumbling when it comes to 
information security. In OMB's latest report to Congress on FISMA, the 
Homeland Security Department cited 338 separate security incidents at 15 
agencies in fiscal year 2006 involving "personally identifiable 
information," which can include citizens' names, birth dates and Social 
Security numbers.

For example, in May 2006 a laptop and hard drive with millions of 
veterans' personal information, including their Social Security numbers, 
was stolen from the Maryland home of a Veterans Affairs Department 
employee. Officials recovered the equipment about two months later and 
determined the information was not compromised. But it was a lucky 
break.

Other problems have surfaced at the agency, including a hard drive lost 
earlier this year from an Alabama VA facility and the subsequent 
cover-up by an agency IT specialist. Last summer, Pedro Cadenas Jr. 
resigned as CISO at VA.

VA's struggles demonstrate the importance of educating the workforce. 
CISOs not only are responsible for selling cybersecurity to senior 
leadership, but also getting buy-in from the rank and file.

"The stolen laptop at Veterans Affairs was a failure to manage what 
employees do," says Boots. "VA had a good FISMA score card, the system 
including the stolen laptop had been certified and accredited. From a 
FISMA standpoint, all was well." In other words, compliance doesn't 
always prevent breaches.

"What you have to do is create an environment where people are aware of 
risk," says Karen Evans, OMB's administrator for e-government and IT. 
"The bottom line is people are going to make mistakes, so you don't want 
to create an environment where, when they make a mistake, they are 
afraid to report it to somebody."


Paper Tigers?

VA is hardly unique when it comes to information security breaches. 
Other agencies that have occupied the hot seat when sensitive 
information turned up missing include the Centers for Medicare and 
Medicaid Services, Census Bureau and Internal Revenue Service.

Federal agencies now are required to report to OMB, law enforcement 
agencies and affected individuals, among others, when a breach occurs. 
This is a victory for government transparency and accountability, but it 
doesn't make the paper trail any shorter for CISOs.

In response to last year's incident at VA, OMB issued a memo requiring 
agencies to implement tighter security measures, including encrypting 
all sensitive data on mobile computers and other devices, allowing 
remote access only with two-factor authentication, and timing out remote 
access after 30 minutes of inactivity. While responsibility for 
information security implementation ultimately rests with CIOs, the 
CISOs are responsible for the nuts and bolts, which are not always 
popular with employees.

OMB's Evans is aware of complaints from CISOs about too many reporting 
and compliance requirements, but says it doesn't have to be a burden.

"Certification and accreditation doesn't mean you crank out a 300-page 
report; it means you really go through the process of analyzing the 
service. If you are managing the project and have thought about it, the 
document is easy to put together because you have done the analysis." 
Evans says part of OMB's job is to help agencies and security chiefs 
focus on results, rather than "just complying with another OMB policy."

FISMA is the foundation of most, if not all, information security 
directives, but some believe the process has failed to keep pace with 
security realities. "Many people, myself included, believe the FISMA 
process measures the wrong things and fails to measure the right 
things," says Bruce Brody.

A former CISO at VA and Energy, Brody is vice president for information 
assurance at federal IT contractor CACI in Arlington, Va. "As a result, 
precious resources are expended for the sake of FISMA compliance, as 
opposed to getting federal systems and networks to truly higher levels 
of security," he says.


Systems Overload

Twenty-one of the 24 departmental inspectors general have included 
information security among their agencies' major management challenges, 
according to a July report from the Government Accountability Office.

In fiscal 2006 alone, federal agencies spent $5.5 billion securing the 
government's total IT investment of approximately $63 billion, according 
to OMB. The number of information systems within an agency varies 
widely, depending on size. For example, the relatively small National 
Science Foundation has 19 systems, while VA -- the second-largest agency 
after Defense -- has a whopping 595. CISOs must educate employees about 
security procedures, but they also have to ensure technology systems are 
well-protected against nefarious outsiders.

Part of that involves a three-year-old Homeland Security Presidential 
Directive, known as HSPD-12. Oct. 27 marks the next benchmark for 
creating governmentwide, standardized smart cards for employees and 
contractors. Given the many information security systems, types of 
technology and procedures across government, it's one of the most 
complex security initiatives ever.

The goal is to produce a common ID for access, as needed, to government 
buildings and computer systems. By late October, agencies are supposed 
to have verified or completed background investigations on all current 
employees and contractors. The challenge of HSPD-12 reflects one of 
those CISOs face on a smaller scale: collecting performance metrics from 
each shop to present a clear and comprehensive snapshot of the agency's 
overall cybersecurity to senior leaders.

"How do you respond to the deputy secretary when he says, 'How are you 
doing today?' " says Energy's Hunteman, who estimates there are 1 
million attempts each day to breach the security systems at any one of 
the department's national labs.


Boiling the Ocean

Hunteman's question brings to mind another factor for CISO success: 
visibility. A CISO's influence and impact depend largely on the 
importance senior leaders attach to information security. That also goes 
for chief security officers -- the CISO's private sector counterparts.

"In every case, a CSO has to be empowered," says Ken Silva, the former 
executive technical director at the National Security Agency and now 
chief security officer at VeriSign, an Internet security and telecom 
company in Mountain View, Calif.

VeriSign, which recently had its own mishap with a missing laptop, is 
one of the largest providers of digital encryption and authentication, 
symbolized by the padlock icon on computers. "You can't keep running 
ideas up the flagpole, or you will never get anything done," Silva says.

Not surprisingly, industry CSOs have more flexibility, and often more 
resources, than federal security chiefs, partly because their portfolios 
are broader. They're responsible for both physical and information 
security. But with HSPD-12, the profile of CISOs across government and 
within their own agencies is likely to get a boost.

Overall, the federal IT security workforce could use some more positive 
reinforcement, some say. "It must be professionalized -- recognized as a 
career field -- appropriately trained, afforded with career progression 
and properly compensated to perform its essential functions," says 
CACI's Brody. And at the senior level of that career, CISOs should enjoy 
the same professional advancement and respect given to the rest of the 
chief community, Brody adds.

"They are trying to boil the ocean," says Silva of the challenges 
federal security chiefs face. "There are so many people and so many 
computers they are trying to get into compliance that, frankly, were not 
before. It's a testament to their commitment that they are willing to do 
these things."

Kellie Lunney is a reporter for National Journal and the former managing 
editor of GovernmentExecutive.com.

[1] http://www.govexec.com/chiefs/


__________________________________________________________________      
CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques.  Register now for savings on conference fees   
and/or free exhibits admission. - www.csiannual.com



This archive was generated by hypermail 2.1.3 : Thu Sep 27 2007 - 23:51:13 PDT