By Kellie Lunney
September 27, 2007
Editor's note: The following story appears in the Sept. 15 issue of
Government Executive Magazine, which focuses on the challenges facing
C-title federal executives. For a directory of more than 500 key
decision makers in federal finance, information technology, procurement
and personnel, click here .
It's a job with little authority and no budget of its own. Few people
are aware of the post, or its role in safeguarding millions of
Americans' personal information and ensuring the continuity of
government. Not every federal agency even has one. When chief
information security officers do get attention, it's usually because
someone lost or swiped a laptop. In a government populated with
countless thankless jobs, the challenges facing cybersecurity managers
seem especially daunting.
"Chief information security officers are like offensive linemen in
football," says John Pescatore, vice president of the information
security practice at Gartner Inc., an IT research and advisory company
in Stamford, Conn. "You only know their name when they screw up."
Despite their relative obscurity when all is well, federal information
security chiefs have been around in some capacity for the last decade.
But they didn't get an official job description until Congress passed
the 2002 Federal Information Security Management Act, tasking the Office
of Management and Budget and the National Institute of Standards and
Technology with honchoing the effort. CISOs report to agency chief
information officers, whose top priority these days also is
cybersecurity. So why do agencies need CISOs?
William J. Hunteman Jr., associate chief information officer for
cybersecurity at the Energy Department, says the group "provides the
overall leadership, strategic planning and vision for an effective
cybersecurity program in the particular organization they are in."
Hunteman, who has worked in cybersecurity at Energy for two decades and
has been CISO for the past 16 months, likens the job to sales. "One of
the big things CISOs don't get is that the job is a lot of marketing,
selling if you will, of cybersecurity within the organization."
CIOs, on the other hand, have more than information security to pitch;
they are responsible for figuring out how entire computer networks
relate to the department's overall IT and business structures.
"They really are two different jobs," says Michael F. Brown, director of
the Office of Information Systems Security at the Federal Aviation
Administration and former CIO for the Army National Guard.
Some argue that CISOs can end up spending more time on paperwork than on
actual cybersecurity. "In recent years, the paperwork load has become so
onerous that many operational units have hired their own staff to deal
with the paperwork so the unit can continue to focus on producing
business results," says Andy Boots.
Now retired, Boots was CISO at the Education Department's Federal
Student Aid and the Treasury Department's Office of the Comptroller of
the Currency. "In many organizations, CISOs now preside over their own
shadow organizations, producing reports on demand but otherwise making
no relevant impact on the organization," he says.
CISOs interviewed for this story say they work closely with CIOs, but
the latter tend to eclipse their security chiefs, if only because of
their elevated status in the reporting chain. "The CISO is a fairly new
role, and it does not control the purse strings," says Gartner's
Pescatore. "It is often just the bully pulpit. It's hard for CISOs to
It's also difficult for CISOs to control errant employees. Several
highly publicized incidents involving lost or stolen computers, hard
drives and other technology containing sensitive data over the last few
years have made the government look inept and bumbling when it comes to
information security. In OMB's latest report to Congress on FISMA, the
Homeland Security Department cited 338 separate security incidents at 15
agencies in fiscal year 2006 involving "personally identifiable
information," which can include citizens' names, birth dates and Social
For example, in May 2006 a laptop and hard drive with millions of
veterans' personal information, including their Social Security numbers,
was stolen from the Maryland home of a Veterans Affairs Department
employee. Officials recovered the equipment about two months later and
determined the information was not compromised. But it was a lucky
Other problems have surfaced at the agency, including a hard drive lost
earlier this year from an Alabama VA facility and the subsequent
cover-up by an agency IT specialist. Last summer, Pedro Cadenas Jr.
resigned as CISO at VA.
VA's struggles demonstrate the importance of educating the workforce.
CISOs not only are responsible for selling cybersecurity to senior
leadership, but also getting buy-in from the rank and file.
"The stolen laptop at Veterans Affairs was a failure to manage what
employees do," says Boots. "VA had a good FISMA score card, the system
including the stolen laptop had been certified and accredited. From a
FISMA standpoint, all was well." In other words, compliance doesn't
always prevent breaches.
"What you have to do is create an environment where people are aware of
risk," says Karen Evans, OMB's administrator for e-government and IT.
"The bottom line is people are going to make mistakes, so you don't want
to create an environment where, when they make a mistake, they are
afraid to report it to somebody."
VA is hardly unique when it comes to information security breaches.
Other agencies that have occupied the hot seat when sensitive
information turned up missing include the Centers for Medicare and
Medicaid Services, Census Bureau and Internal Revenue Service.
Federal agencies now are required to report to OMB, law enforcement
agencies and affected individuals, among others, when a breach occurs.
This is a victory for government transparency and accountability, but it
doesn't make the paper trail any shorter for CISOs.
In response to last year's incident at VA, OMB issued a memo requiring
agencies to implement tighter security measures, including encrypting
all sensitive data on mobile computers and other devices, allowing
remote access only with two-factor authentication, and timing out remote
access after 30 minutes of inactivity. While responsibility for
information security implementation ultimately rests with CIOs, the
CISOs are responsible for the nuts and bolts, which are not always
popular with employees.
OMB's Evans is aware of complaints from CISOs about too many reporting
and compliance requirements, but says it doesn't have to be a burden.
"Certification and accreditation doesn't mean you crank out a 300-page
report; it means you really go through the process of analyzing the
service. If you are managing the project and have thought about it, the
document is easy to put together because you have done the analysis."
Evans says part of OMB's job is to help agencies and security chiefs
focus on results, rather than "just complying with another OMB policy."
FISMA is the foundation of most, if not all, information security
directives, but some believe the process has failed to keep pace with
security realities. "Many people, myself included, believe the FISMA
process measures the wrong things and fails to measure the right
things," says Bruce Brody.
A former CISO at VA and Energy, Brody is vice president for information
assurance at federal IT contractor CACI in Arlington, Va. "As a result,
precious resources are expended for the sake of FISMA compliance, as
opposed to getting federal systems and networks to truly higher levels
of security," he says.
Twenty-one of the 24 departmental inspectors general have included
information security among their agencies' major management challenges,
according to a July report from the Government Accountability Office.
In fiscal 2006 alone, federal agencies spent $5.5 billion securing the
government's total IT investment of approximately $63 billion, according
to OMB. The number of information systems within an agency varies
widely, depending on size. For example, the relatively small National
Science Foundation has 19 systems, while VA -- the second-largest agency
after Defense -- has a whopping 595. CISOs must educate employees about
security procedures, but they also have to ensure technology systems are
well-protected against nefarious outsiders.
Part of that involves a three-year-old Homeland Security Presidential
Directive, known as HSPD-12. Oct. 27 marks the next benchmark for
creating governmentwide, standardized smart cards for employees and
contractors. Given the many information security systems, types of
technology and procedures across government, it's one of the most
complex security initiatives ever.
The goal is to produce a common ID for access, as needed, to government
buildings and computer systems. By late October, agencies are supposed
to have verified or completed background investigations on all current
employees and contractors. The challenge of HSPD-12 reflects one of
those CISOs face on a smaller scale: collecting performance metrics from
each shop to present a clear and comprehensive snapshot of the agency's
overall cybersecurity to senior leaders.
"How do you respond to the deputy secretary when he says, 'How are you
doing today?' " says Energy's Hunteman, who estimates there are 1
million attempts each day to breach the security systems at any one of
the department's national labs.
Boiling the Ocean
Hunteman's question brings to mind another factor for CISO success:
visibility. A CISO's influence and impact depend largely on the
importance senior leaders attach to information security. That also goes
for chief security officers -- the CISO's private sector counterparts.
"In every case, a CSO has to be empowered," says Ken Silva, the former
executive technical director at the National Security Agency and now
chief security officer at VeriSign, an Internet security and telecom
company in Mountain View, Calif.
VeriSign, which recently had its own mishap with a missing laptop, is
one of the largest providers of digital encryption and authentication,
symbolized by the padlock icon on computers. "You can't keep running
ideas up the flagpole, or you will never get anything done," Silva says.
Not surprisingly, industry CSOs have more flexibility, and often more
resources, than federal security chiefs, partly because their portfolios
are broader. They're responsible for both physical and information
security. But with HSPD-12, the profile of CISOs across government and
within their own agencies is likely to get a boost.
Overall, the federal IT security workforce could use some more positive
reinforcement, some say. "It must be professionalized -- recognized as a
career field -- appropriately trained, afforded with career progression
and properly compensated to perform its essential functions," says
CACI's Brody. And at the senior level of that career, CISOs should enjoy
the same professional advancement and respect given to the rest of the
chief community, Brody adds.
"They are trying to boil the ocean," says Silva of the challenges
federal security chiefs face. "There are so many people and so many
computers they are trying to get into compliance that, frankly, were not
before. It's a testament to their commitment that they are willing to do
Kellie Lunney is a reporter for National Journal and the former managing
editor of GovernmentExecutive.com.
CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques. Register now for savings on conference fees
and/or free exhibits admission. - www.csiannual.com