By Jill R. Aitoro
August 11, 2008
To understand what it's like to be a federal chief information security
officer, consider Larry Ruffin. As CISO at the Interior Department, his
job could be described as having little to do with being a chief and not
much more about security.
Although he regards Interior's current information security as "far from
inadequate," Ruffin and Chief Information Officer Michael Howell don't
have a way to check that the department's network security is configured
correctly or to monitor suspicious activity on a daily basis. Ruffin
also has no authority and few resources to check on the security of
employees' equipment, such as laptops, workstations and servers, or to
monitor specific applications. He has to rely on verbal and written
promises from Interior's bureau managers that they are complying with
security policies. To a limited extent, Ruffin says, he conducts on-site
checks of systems, which in the end offer little insight into the state
of IT security departmentwide.
"How do you take control, when you don't [have authority over] the funds
or maintain clear authority to make decisions? That stymies processes,"
Ruffin says. "We don't get clear approvals and don't feel empowered to
make decisions that might have budgetary impacts. Those decisions can
get made, but rarely."
Ruffin isn't alone. His experience is common to CISOs across government.
Security budgets are paper thin, and CISOs rarely have the authority to
enforce security policies down deep into individual department offices.
Their job is one of frustration; they're aware of what's required to
protect agency networks, but unable to get the job done. It's no wonder
that more security analysts are warning of serious security breaches, if
they have not occurred already.
Visit Defcon Pics - Defcon Memory Repository