A survey released Monday shows that federal chief information security officers (CISO) who lack the political clout that often comes with big budgets are struggling under the weight of regulatory paperwork, while counterparts at larger agencies have the time, money and manpower to work on strategic planning.
The survey of 25 federal CISOs, conducted by Chantilly, Va.-based Intelligent Decisions Inc., examined the CISO role and focused on daily duties, budgeting and management responsibilities. According to the findings, a "class" divide exists among federal CISOs who control less than a half-million dollars in annual IT spending and those who control more than US$10 million in spending.
Ted Ritter, director of cybersecurity at Intelligent Decisions, said CISOs who manage budgets of less than US$500,000 are loaded down with administrative tasks and hard-pressed to carry out strategic security management functions. Survey respondents from this class said they devote 45 percent of their time to paperwork related to Federal Information Security Management Act (FISMA) compliance reporting; just 22 percent of their time goes to high-value security management functions, such as architecture development, inventory control and vendor collaboration.
Passed in 2002, FISMA requires agencies to apply risk management techniques to make their computer information systems more secure.
To the contrary, CISOs from agencies with larger budgets spend only 27 percent of their time on FISMA compliance reporting, dedicating almost half of their time to high-value security management functions.
"We assumed incorrectly that all federal CISOs had people working for them to do administrative tasks such as FISMA reporting," said Ritter. Ironically, although FISMA mandated the creation of a CISO position for each federal agency, the law did little to ensure that every agency had the resources and the tools necessary to both remain compliant with the law and improve security, Ritter said.
John Pescatore, an analyst at Stamford, Conn.-based Gartner Inc., called FISMA "a big paperwork exercise" but said federal CISOs weren"t making much progress in improving IT security before FISMA. To the contrary, it took the public release of agency report cards by Rep. Adam Putnam (R-Fla.), chairman of the House Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census, to force changes, said Pescatore.
Alan Paller, director of research at the SANS Institute, in Bethesda, Md., said FISMA consumes a large part of federal IT security management investments -- even at large agencies. But that effort doesn"t seem to be paying off, he said.
"If the FISMA effort could be shown to improve security, then that investment would be warranted," said Paller. But, "I have not been able to find any agency executive who can demonstrate that FISMA reporting to date resulted in significant improvements in security (that is) worth the expenditure."
There have been minor improvements, however, Paller said. For example, as of Aug. 23, the Office of Management and Budget has focused part of agency reporting requirements on ensuring that they meet the minimum security configuration clause of FISMA -- "the single most important clause in FISMA," according to Paller.
"As agencies move to implement minimum security configurations, not only will security improve, but costs will go down at the same time," he said.
An example of how this is beginning to take shape is the Nov. 19 announcement by the U.S. Air Force that it plans to standardize its Microsoft Corp. contracts and require specific configurations upon delivery.
At a news conference Friday, Air Force CIO John Gilligan said that beginning in 2005, the service will require its 525,000 personnel and civilian support staff to use one specially configured version of Microsoft"s operating system and applications. Gilligan said the Air Force wants a single version of Microsoft products, configured with specific security settings out of the box. The goal is to overcome the challenge posed by applying software patches across a global enterprise whenever Microsoft announces new vulnerabilities, Gilligan said.
In fact, the problem of patch management was identified by the Intelligent Decisions survey as the top concern of federal CISOs. And while patch management requires all agencies to have a dedicated support infrastructure in place, the survey surprisingly found that only 22 percent of federal CISOs surveyed said their agency had a help desk in place for security issues.