[Infowarrior] - Federal CISOs decry excessive paperwork

Thu Apr 30 23:33:49 UTC 2009

(something i've been arguing against for YEARS.....----rf)

http://www.networkworld.com/news/2009/043009-fed-ciso-survey.html

Federal CISOs decry excessive paperwork
By Carolyn Duffy Marsan , Network World , 04/30/2009
Sponsored by:

Unnecessary paperwork and too much focus on compliance reporting are  
two of the biggest distractions for federal Chief Information Security  
Officers trying to shore up government networks from external attacks,  
a new survey says.

Federal CISOs say they feel empowered and that agencies act on their  
recommendations, according to a survey that was published on Thursday.  
The survey is entitled ``The 2009 State of Cybersecurity from the  
Federal Chief Information Security Officer’s Perspective.’’

But CISOs say they face organizational hurdles in bolstering network  
security such as the reporting requirements stemming from the 2002  
Federal Information Security Management Act (FISMA). FISMA requires  
agencies to adopt information security programs, conduct annual  
reviews of these programs, and report the results to the Office of  
Management and Budget.

``FISMA mandates the establishment of CISOs within each cabinet-level  
agency. The FISMA reporting if nothing else required senior management  
in the federal agencies to recognize the fact that…CISOs have an  
important role to play,’’ says Lynn McNulty, director of government  
affairs for survey sponsor (ISC)2 and a former federal information  
security official.

Related Content

While CISOs say FISMA has had a positive effect on federal  
cybersecurity efforts by requiring the establishment of their  
positions, 40% of those surveyed said FISMA has ``become misdirected  
or is a time-wasting exercise,’’ the survey said.

When asked to characterize the FISMA process, only 9% of respondents  
called the law ``a great success.’’ Nearly half of the respondents –  
48% -- said the law created real but uneven improvement. Around a  
quarter of respondents – 24% -- called FISMA a ``paper exercise with  
little upside.’’ The remaining 19% said FISMA’s costs exceed its  
benefits.

``FISMA is generally viewed as having a positive effect’’ because it  
gives CISOs increased visibility and budget responsibility, says David  
Graziano, Cisco's manager for federal security solutions. ``But  
there’s a dichotomy because…the FISMA report card doesn’t help them  
improve the security of the organization.’’

With FISMA report cards, an agency is either in compliance or not in  
compliance at a given point in time. Survey respondents said they  
would prefer an approach that focuses on managing security risks in an  
ongoing fashion.

Federal CISOs say ``continuous monitoring would be a more effective  
way of managing the security posture of an agency rather than annual  
snapshots,’’ McNulty says, adding that CISOs can now deploy software  
tools that give them an hourly or daily view of their network security  
posture.

What federal CISOs worry most about are external attacks. Federal  
CISOs were upbeat about the progress they are making against these  
attacks through the deployment of Einstein intrusion detection systems  
for monitoring Internet access points.

Another positive survey finding was that 75% of federal CISOs are in  
favor of mandatory professional certification for their staff, as is  
currently required by the Defense Department.

The survey of 40 federal CISOs was conducted in March by (ISC)2 and  
sponsored by Cisco and consulting firm Government Futures.

McNulty said the survey was the first of its kind. ``We thought it was  
appropriate and desirable to give CISOs an independent voice and an  
opportunity to express their opinions,’’ he said. ``We hope this will  
be the first of an annual survey that follows.’’