Federal CISOs appear to trust technology more than Congress

The results of the recently released (ISC)2 sponsored report, The 2010 State of Cybersecurity from the Federal CISO’s Perspective, suggest a pervasive distrust of U.S. legislators by federal Chief Information Security Officers, based in large part on a perceived lack of understanding of agency missions and the security measures needed to protect them, and of insufficient funding allocated to information security. In contrast, the same group of survey respondents reported relatively high levels of satisfaction with two of the government’s highest profile security initiatives, the Einstein intrusion detection and prevention program, and the Trusted Internet Connection (TIC) initiative, despite the slower than expected progress made on both of these efforts. As accurately noted by GovInfoSecurity.com’s Eric Chabrow, neither the dissatisfaction with Congress nor the relatively positive view of Einstein and TIC are hard to understand. Congress has a long history of writing security-focused legislation replete with vague yet mandatory requirements, often deferring to the market or to executive branch agencies like NIST to supply the technical details to implement the objectives in the laws. (The irony persists that FISMA and most other major security legislation applies only to executive branch agencies, not to the IT environments of the House or Senate.) Despite multiple bills introduced in both houses of Congress that would seek to strengthen the provisions of FISMA in particular and federal governance of IT security in general, CISOs apparently are less interested in the politics that become more and more a part of their jobs, maintaining a genuine interest in improving agency security posture and in finding ways to combat the growing and diversifying number of threats to their data and systems. From this perspective government-wide security programs like Einstein (the operation of which would be greatly facilitated by the TIC-driven reduction of government connection points to the Internet) are attractive not least because the individual agencies would not be responsible for much of the operational support for them. Compared to the immense (and arguably poorly spent) resources agencies put into FISMA compliance, a move towards at least some security measures that span all agencies provided in a common fashion is a nice change of pace from the underfunded mandates CISOs are so used to getting handed down from Congress.