Federal CISO poll indicates high concern for external threats

Share this article:

External threats resulting in data loss are now the biggest risk to the federal government, followed by insider threats and software vulnerabilities.

That is the opinion of nearly half the federal-level CISOs polled in a survey released Thursday by (ISC)2.

The survey was designed to provide perspectives on the current and future state of government agency programs, particularly the tools, technologies and resources CISOs require, how well federal security programs and initiatives work and whether the down economy affects recruitment and retention of top personnel.

Federal CISOs indicated in the survey, conducted in March, that they are feeling more empowered, and are generally more highly regarded than in years past -- their agencies often act on their recommendations. Still, the survey pointed out that CISOs continue to face organizational challenges, including inadequate resources to do the job, undue focus on compliance and unnecessary paperwork that derails efforts to address many known problems.

Among the challenges foremost on CISOs' minds are external attacks that cause data loss, according to the survey. Insider threats and software vulnerabilities are seen as lower-level problems, though some complained that it is getting tougher, because of the growing use of social networking sites, to differ between insiders and outsiders.

John Stewart, vice president and CSO for Cisco Systems, which co-sponsored the survey, said in a webcast Thursday that when addressing the issues government agencies face, focus must be placed on collaborative problem solving, which has not always worked as planned.

“Information sharing is not a strong suit for security practitioners,” he said.

The survey data showed also that CISOs favored a shift from compliance reporting to continuous monitoring.

“CISOs are telling us that agencies must move from a compliance-focused culture to one that emphasizes risk management and a more proactive approach,” Stewart said.

W. Hord Tipton, (ISC)2 executive director, said during the webcast that the CISOs surveyed believed professional certifications are important in the recruitment process, and that the recently introduced Rockefeller-Snowe cybersecurity bill mandates certification for everyone working at the federal level, and certification already is required by the U.S. Department of Defense.

“Some 75 percent of the CISOs in the survey support professional certification for all government personnel working on information security systems,” he said. "Certification validates competence, and when combined with experience, makes for a more professional employee."

The survey also found that some 76 percent of CISOs report to their agency chief information officer, but none to the chief operating officer, the chief financial officer or the chief risk officer, which the CISOs believe limits their overall effectiveness. Meanwhile, most CISOs are satisfied with their jobs and intend to stay in government service.

    Share this article:
    You must be a registered member of SC Magazine to post a comment.

    Sign up to our newsletters

    More in News

    CryptoWall surpasses CryptoLocker in infection rates

    CryptoWall surpasses CryptoLocker in infection rates

    A threat analysis from Dell SecureWorks CTU says that CryptoWall has picked up where its famous sibling left off.

    Professor says Google search, not hacking, yielded medical info

    Professor says Google search, not hacking, yielded medical ...

    A professor of ethical hacking at City College San Francisco came forward to clarify that he did not demonstrate hacking a medical center's server in a class.

    Syrian Malware Team makes use of enhanced BlackWorm RAT

    Syrian Malware Team makes use of enhanced BlackWorm ...

    FireEye analyzed the hacking group's use of the malware, dubbed the "Dark Edition" of BlackWorm.