(ISC)2(R) Report: Federal CISOs Say Economic Crisis Will Increase Security Vulnerabilities and Improve Personnel Retention
In First Comprehensive Survey, Federal CISOs Give Opinions on Growing Threats in a Recession, CNCI, TIC, Building a Top Workforce and Their Role in a New Administration
“The State of Cybersecurity from the Federal CISO’s Perspective” is the first comprehensive survey of federal agency and bureau-level CISOs. It was conducted to get a front-line perspective on the current and future state of agency programs; which tools, technologies and resources CISOs think they need to accomplish their mission; how well federal security programs and initiatives are working; and whether the economy is affecting their ability to recruit and retain top personnel.
The survey data showed that CISOs believe the global economic crisis will increase risks to federal information and information systems, largely as a result of pressure to deploy solutions more quickly, but that the resulting lackluster employment market will improve the ability of federal agencies to retain key security personnel. The survey data also showed that federal CISOs are becoming more empowered within their agencies–with 90 percent viewing their ability to affect the security posture of the agency as significant or influential.
“The CISOs’ responses clearly demonstrate that cybersecurity is evolving in terms of management priority,” says
Other key findings include the fact that nearly half of federal CISOs surveyed believe that, in today’s uncertain and financially challenged environment, external threats resulting in data loss are now the biggest risk to the federal government, followed by insider threats and software vulnerabilities. However, CISOs are split on government progress in the battle to safeguard agency information and systems, with half of CISOs of the opinion that they are “turning the corner” and the other half stating that their agency is still “not getting ahead of the attackers.”
The survey also uncovered CISOs’ needs, priorities and recommendations for more secure federal systems. They include the following:
- They strongly favor a shift from compliance reporting to continuous monitoring, as well as the imposition of stricter security requirements during the acquisition of all major IT systems.
- CISOs wish they had more resources and even more senior buy-in than they’re currently getting to accomplish their mission.
- Hiring of information security professionals remains weak at most agencies, but CISOs say that when they do hire, the most important selection criteria will be experience, professional certifications and communication skills.
- CISOs’ top three current priorities are addressing threats to government information systems, improving cybersecurity governance and meeting compliance objectives.
- To help achieve those priorities, CISOs would like to have stronger intrusion detection and prevention tools, stronger authentication and more encryption.
- CISOs think good progress is being made with the Einstein and Federal Desktop Core Configuration (FDCC) programs, but they don’t think the Homeland Security Presidential Directive-12 (HSPD-12) or the Trusted Internet Connection (TIC) programs have been as successful.
Notably, the survey found real frustration and a lack of confidence among CISOs in the Comprehensive National Cyber Security Initiative (CNCI), developed during the Bush Administration. They believe the program has too much of “an external focus,” with the result being that not enough funds are being devoted to fixing longstanding agency security problems. To improve CNCI, more than 50 percent of CISOs say that they would like to see less classification around the program, greater attention to authentication and more access to Einstein data.
“With this report, CISOs are telling us that agencies need to move from a compliance-focused culture to one that emphasizes risk management and a more proactive approach,” says
Other findings in “The State of Cybersecurity” include the following:
- 75 percent of CISOs support mandatory professional certification for all government personnel working on information security systems, as already mandated at the Department of Defense through the 8570.1 Directive.
- 76 percent of CISOs report to the agency Chief Information Officer, but none to the Chief Operating Officer, the Chief Financial Officer or the Chief Risk Officer, which CISOs believe limits their overall effectiveness.
- Most CISOs are satisfied with their jobs and intend to stay in government service.
Responses for this survey were gathered over a three-week period in
The International Information Systems Security Certification Consortium, Inc. [(ISC)2(R)] is the globally recognized Gold Standard for certifying information security professionals. Celebrating its 20th anniversary, (ISC)2 has now certified over 60,000 information security professionals in more than 130 countries. Based in
(C) 2009, (ISC)2 Inc. (ISC)2, CISSP, ISSAP, ISSMP, ISSEP, CAP, SSCP and CBK are registered marks and CSSLP is a service mark of (ISC)2, Inc.