If you are a federal Chief Information Security Officers – or even if you are not, you face some serious trials just to do your difficult job.
Federal agencies in particular lack clarity on how to ensure that their CISOs have adequate authority to effectively carry out their duties in the face of numerous challenges, a report out this week form the watchdogs at the Government Accountability Office stated.
+More on Network World: The 7 most common challenges to cloud computing+
The GAO said that 13 of the 24 agencies it reviewed – including the Departments of Defense, Commerce Energy, Justice and State-- for its report “had not fully defined the role of their CISO in accordance with these requirements. For example, these agencies did not always identify a role for the CISO in ensuring that security controls are periodically tested; procedures are in place for detecting, reporting, and responding to security incidents; or contingency plans and procedures for agency information systems are in place. Thus, CISOs' ability to effectively oversee these agencies' information security activities can be limited,” the GAO stated.
+More on Network World: The 10 most common mobile security problems and how you can fight them+
The need for more clarity in the CISO role is obvious: The emergence of increasingly sophisticated cyber threats underscores the need to manage and bolster the security of federal information systems. For example, advanced persistent threats—where an adversary that possesses sophisticated levels of expertise and significant resources can attack using multiple means such as cyber, physical, or deception to achieve its objectives—pose increasing risks. In addition, the number and types of cyber threats are on the rise. The attack on federal personnel and background investigation files that breached the PII ofmore than 20 million federal employees and contractors illustrates the need for strong security over information and systems,” the GAO stated.
Some of the other factors hindering the CISO role, as defined by the GAO report include:
- Competing priorities: Respondents identified several specific challenges related to this factor. For example, one respondent stated that security personnel at the component level report to the component’s management chain rather than to the CISO; consequently, they are often driven by the operational imperatives of the component agency rather than the security priorities of the department. The respondent also noted that programs often view cybersecurity as a drain on limited resources. Another CISO explained that agency operations drive procurements at a faster pace than is feasible for their cyber team to track. Another CISO expressed similar sentiment, stating that technology is advancing rapidly and security is often seen as getting in the way of progress. Another respondent noted that the operational priorities of the agency tend to favor maintaining existing operations rather than correcting weaknesses and vulnerabilities in a timely fashion.
- Lack of sufficient staff: CISOs identified challenges with having insufficient personnel to oversee security activities effectively. For example, one CISO noted that the information security office did not have enough personnel to oversee the implementation of the number and scope of requirements described in NIST SP 800-53 as well as to respond to audits and OMB data calls. Another noted that the agency’s security operations center did not have enough staff to operate around the clock.
- Recruiting, hiring, and retaining security personnel: One CISO stated that the agency could not offer salaries that are competitive with the private sector for candidates with high-demand technical skills. Another described a similar challenge, stating that the government’s General Schedule system restricts agencies from offering bonuses commensurate with what private sector organizations can offer.
- Additionally, another respondent stated that, although hiring security personnel with less experience is cheaper than hiring at higher grades, the security organization has to devote significant time and effort to bringing new staff up to speed; additionally, once those staff obtain skills and experience, they often begin looking for new jobs where they can receive a higher salary.
- Expertise of security personnel: CISOs described challenges with ensuring that personnel in highly technical roles have sufficient training opportunities and expertise in the skill sets needed. Others noted that a lack of expertise among staff limited their ability to evaluate risk, support internal testing, or oversee the security of IT acquisitions.
- Financial resources. One CISO stated that the information security organization is funded through components’ contributions to the department’s working capital fund, which creates tension between the department-wide security needs and the operational priorities of the component agencies. Another stated that the CISO organization does not have a dedicated budget, but is funded out of the budget for the CIO organization.
The GAO said it was recommending that the Director of OMB, which has authority over the agencies issue guidance to ensure that (1) senior agency officials carry out information security responsibilities and (2) agency personnel are held accountable for complying with the agency-wide information security program. This guidance should clarify the role of the agency CISO with respect to these requirements, as well as implementing the other elements of an agency-wide information security program, taking into account the challenges identified in this report. The GAO also said it was making 33 recommendations to 13 of the 24 departments and agencies to ensure that the role of the CISO is defined in agency policy.
The full GAO report, including agency response to those recommendations can be read here.
Check out these other hot stories: