Agencies with smaller IT budgets bogged down with security compliance

A survey of federal agencies' chief information security officers shows that agencies with small information technology budgets hamper their security officers with administrative tasks, keeping them from long-term strategic planning.

Revealing a class divide, the survey, commissioned by the Chantilly, Va.-based company, Intelligent Decisions Inc., showed that federal CISOs can be divided into two categories: those controlling less than $1 million in annual information technology spending and those controlling more than $10 million.

Agencies have been under fire from Congress for failing to protect federal computer networks. The Federal Information Security Management Act is supposed to give agencies a framework for management, but members of Congress want more detailed guidance and enforcement of its configuration management provisions.

Ted Ritter, Intelligent Decisions' director of cybersecurity, said he was surprised to see the disparity between the "haves and the have-nots," and that the levels of information technology spending did not coincide with an agency's size. "We made the false assumption that the bigger the agency, the bigger the budget and the bigger the staff," he said.

CISOs with small budgets spend about 45 percent of their time getting their agency to comply with FISMA, according to the survey, compared to agencies with larger budgets, which spend only about 22 percent of time on compliance. Ritter said the small-budget CISOs are "working down in the weeds" on day-to-day issues such as FISMA compliance, and not spending as much time dealing with strategic issues.

"The only reason we could come up for this was that they're just understaffed, which is forcing them to put out the fires," Ritter said. "[The CISOs] are doing a lot of the security day-to-day legwork within the agency."

About 81 percent of the CISOs said they had technology budgets of less than $1 million, while 14 percent said their budgets were greater than $10 million. About 55 percent of the CISOs surveyed said they did not have a dedicated IT security professional, and 78 percent said they did not have a help desk dedicated to security.

"Some of these guys don't have a whole lot of money to solve some very big problems," Ritter said. "Not only do they have tight budgets and tight staffs, they take on a lot of the operational parts of security."

The survey was based on 30 anonymous telephone interviews with federal agency CISOs by the public relations firm O'Keeffe & Company. There are 117 CISOs in the federal government.

Intelligent Decisions recommended that private industry invest in developing a real-time FISMA compliance tool for agencies because of the amount of time it takes to mechanically comply with the regulations. The company also encouraged private industry to become more serious about developing quality software that would require fewer patches.

Ray Bjorklund, senior vice president at Federal Sources Inc., a market research firm that analyzes recent federal agencies' IT budgets, said the funding divide may represent the difference in agencies with career chief information officers as opposed to those with political appointments.

"The biggest argument for a politically appointed CIO is that that person will have more rapport with the other politically appointed executives," Bjorklund said. "On the other hand, political appointees come and go, and sometimes the career people might have more insight into the culture of the organization."