As cybersecurity takes on greater importance, so does the role of the chief information security officers who keep watch over data and systems.
It's a job with little authority and no budget of its own. Few people are aware of the post, or its role in safeguarding millions of Americans' personal information and ensuring the continuity of government. Not every federal agency even has one. When chief information security officers do get attention, it's usually because someone lost or swiped a laptop. In a government populated with countless thankless jobs, the challenges facing cybersecurity managers seem especially daunting.
"Chief information security officers are like offensive linemen in football," says John Pescatore, vice president of the information security practice at Gartner Inc., an IT research and advisory company in Stamford, Conn. "You only know their name when they screw up."
Despite their relative obscurity when all is well, federal information security chiefs have been around in some capacity for the last decade. But they didn't get an official job description until Congress passed the 2002 Federal Information Security Management Act, tasking the Office of Management and Budget and the National Institute of Standards and Technology with honchoing the effort. CISOs report to agency chief information officers, whose top priority these days also is cybersecurity. So why do agencies need CISOs?
William J. Hunteman Jr., associate chief information officer for cybersecurity at the Energy Department, says the group "provides the overall leadership, strategic planning and vision for an effective cybersecurity program in the particular organization they are in." Hunteman, who has worked in cybersecurity at Energy for two decades and has been CISO for the past 16 months, likens the job to sales. "One of the big things CISOs don't get is that the job is a lot of marketing, selling if you will, of cybersecurity within the organization." CIOs, on the other hand, have more than information security to pitch; they are responsible for figuring out how entire computer networks relate to the department's overall IT and business structures. "They really are two different jobs," says Michael F. Brown, director of the Office of Information Systems Security at the Federal Aviation Administration and former CIO for the Army National Guard.
Some argue that CISOs can end up spending more time on paperwork than on actual cybersecurity. "In recent years, the paperwork load has become so onerous that many operational units have hired their own staff to deal with the paperwork so the unit can continue to focus on producing business results," says Andy Boots. Now retired, Boots was CISO at the Education Department's Federal Student Aid and the Treasury Department's Office of the Comptroller of the Currency. "In many organizations, CISOs now preside over their own shadow organizations, producing reports on demand but otherwise making no relevant impact on the organization," he says.
CISOs interviewed for this story say they work closely with CIOs, but the latter tend to eclipse their security chiefs, if only because of their elevated status in the reporting chain. "The CISO is a fairly new role, and it does not control the purse strings," says Gartner's Pescatore. "It is often just the bully pulpit. It's hard for CISOs to change things."
It's also difficult for CISOs to control errant employees. Several highly publicized incidents involving lost or stolen computers, hard drives and other technology containing sensitive data over the last few years have made the government look inept and bumbling when it comes to information security. In OMB's latest report to Congress on FISMA, the Homeland Security Department cited 338 separate security incidents at 15 agencies in fiscal year 2006 involving "personally identifiable information," which can include citizens' names, birth dates and Social Security numbers.
For example, in May 2006 a laptop and hard drive with millions of veterans' personal information, including their Social Security numbers, was stolen from the Maryland home of a Veterans Affairs Department employee. Officials recovered the equipment about two months later and determined the information was not compromised. But it was a lucky break. Other problems have surfaced at the agency, including a hard drive lost earlier this year from an Alabama VA facility and the subsequent cover-up by an agency IT specialist. Last summer, Pedro Cadenas Jr. resigned as CISO at VA.
VA's struggles demonstrate the importance of educating the workforce. CISOs not only are responsible for selling cybersecurity to senior leadership, but also getting buy-in from the rank and file. "The stolen laptop at Veterans Affairs was a failure to manage what employees do," says Boots. "VA had a good FISMA score card, the system including the stolen laptop had been certified and accredited. From a FISMA standpoint, all was well." In other words, compliance doesn't always prevent breaches.
"What you have to do is create an environment where people are aware of risk," says Karen Evans, OMB's administrator for e-government and IT. "The bottom line is people are going to make mistakes, so you don't want to create an environment where, when they make a mistake, they are afraid to report it to somebody."
VA is hardly unique when it comes to information security breaches. Other agencies that have occupied the hot seat when sensitive information turned up missing include the Centers for Medicare and Medicaid Services, Census Bureau and Internal Revenue Service. Federal agencies now are required to report to OMB, law enforcement agencies and affected individuals, among others, when a breach occurs. This is a victory for government transparency and accountability, but it doesn't make the paper trail any shorter for CISOs. In response to last year's incident at VA, OMB issued a memo requiring agencies to implement tighter security measures, including encrypting all sensitive data on mobile computers and other devices, allowing remote access only with two-factor authentication, and timing out remote access after 30 minutes of inactivity. While responsibility for information security implementation ultimately rests with CIOs, the CISOs are responsible for the nuts and bolts, which are not always popular with employees.
OMB's Evans is aware of complaints from CISOs about too many reporting and compliance requirements, but says it doesn't have to be a burden. "Certification and accreditation doesn't mean you crank out a 300-page report; it means you really go through the process of analyzing the service. If you are managing the project and have thought about it, the document is easy to put together because you have done the analysis." Evans says part of OMB's job is to help agencies and security chiefs focus on results, rather than "just complying with another OMB policy."
FISMA is the foundation of most, if not all, information security directives, but some believe the process has failed to keep pace with security realities. "Many people, myself included, believe the FISMA process measures the wrong things and fails to measure the right things," says Bruce Brody. A former CISO at VA and Energy, Brody is vice president for information assurance at federal IT contractor CACI in Arlington, Va. "As a result, precious resources are expended for the sake of FISMA compliance, as opposed to getting federal systems and networks to truly higher levels of security," he says.
Twenty-one of the 24 departmental inspectors general have included information security among their agencies' major management challenges, according to a July report from the Government Accountability Office.
In fiscal 2006 alone, federal agencies spent $5.5 billion securing the government's total IT investment of approximately $63 billion, according to OMB. The number of information systems within an agency varies widely, depending on size. For example, the relatively small National Science Foundation has 19 systems, while VA-the second-largest agency after Defense-has a whopping 595. CISOs must educate employees about security procedures, but they also have to ensure technology systems are well-protected against nefarious outsiders.
Part of that involves a three-year-old Homeland Security Presidential Directive, known as HSPD-12. Oct. 27 marks the next benchmark for creating governmentwide, standardized smart cards for employees and contractors. Given the many information security systems, types of technology and procedures across government, it's one of the most complex security initiatives ever. The goal is to produce a common ID for access, as needed, to government buildings and computer systems. By late October, agencies are supposed to have verified or completed background investigations on all current employees and contractors. The challenge of HSPD-12 reflects one of those CISOs face on a smaller scale: collecting performance metrics from each shop to present a clear and comprehensive snapshot of the agency's overall cybersecurity to senior leaders.
"How do you respond to the deputy secretary when he says, 'How are you doing today?' " says Energy's Hunteman, who estimates there are 1 million attempts each day to breach the security systems at any one of the department's national labs.
Boiling the Ocean
Hunteman's question brings to mind another factor for CISO success: visibility. A CISO's influence and impact depend largely on the importance senior leaders attach to information security. That also goes for chief security officers-the CISO's private sector counterparts. "In every case, a CSO has to be empowered," says Ken Silva, the former executive technical director at the National Security Agency and now chief security officer at VeriSign, an Internet security and telecom company in Mountain View, Calif. VeriSign, which recently had its own mishap with a missing laptop, is one of the largest providers of digital encryption and authentication, symbolized by the padlock icon on computers. "You can't keep running ideas up the flagpole, or you will never get anything done," Silva says.
Not surprisingly, industry CSOs have more flexibility, and often more resources, than federal security chiefs, partly because their portfolios are broader. They're responsible for both physical and information security. But with HSPD-12, the profile of CISOs across government and within their own agencies is likely to get a boost. Overall, the federal IT security workforce could use some more positive reinforcement, some say. "It must be professionalized-recognized as a career field-appropriately trained, afforded with career progression and properly compensated to perform its essential functions," says CACI's Brody. And at the senior level of that career, CISOs should enjoy the same professional advancement and respect given to the rest of the chief community, Brody adds.
"They are trying to boil the ocean," says Silva of the challenges federal security chiefs face. "There are so many people and so many computers they are trying to get into compliance that, frankly, were not before. It's a testament to their commitment that they are willing to do these things."
Kellie Lunney is a reporter for National Journal and the former managing editor of GovernmentExecutive.com.