External threats resulting in data loss are now the biggest risk to the federal government, followed by insider threats and software vulnerabilities.
That is the opinion of nearly half the federal-level CISOs polled in a survey released Thursday by (ISC)2.
The survey was designed to provide perspectives on the current and future state of government agency programs, particularly the tools, technologies and resources CISOs require, how well federal security programs and initiatives work and whether the down economy affects recruitment and retention of top personnel.
Federal CISOs indicated in the survey, conducted in March, that they are feeling more empowered, and are generally more highly regarded than in years past -- their agencies often act on their recommendations. Still, the survey pointed out that CISOs continue to face organizational challenges, including inadequate resources to do the job, undue focus on compliance and unnecessary paperwork that derails efforts to address many known problems.
Among the challenges foremost on CISOs' minds are external attacks that cause data loss, according to the survey. Insider threats and software vulnerabilities are seen as lower-level problems, though some complained that it is getting tougher, because of the growing use of social networking sites, to differ between insiders and outsiders.
John Stewart, vice president and CSO for Cisco Systems, which co-sponsored the survey, said in a webcast Thursday that when addressing the issues government agencies face, focus must be placed on collaborative problem solving, which has not always worked as planned.
“Information sharing is not a strong suit for security practitioners,” he said.
The survey data showed also that CISOs favored a shift from compliance reporting to continuous monitoring.
“CISOs are telling us that agencies must move from a compliance-focused culture to one that emphasizes risk management and a more proactive approach,” Stewart said.
W. Hord Tipton, (ISC)2 executive director, said during the webcast that the CISOs surveyed believed professional certifications are important in the recruitment process, and that the recently introduced Rockefeller-Snowe cybersecurity bill mandates certification for everyone working at the federal level, and certification already is required by the U.S. Department of Defense.
“Some 75 percent of the CISOs in the survey support professional certification for all government personnel working on information security systems,” he said. "Certification validates competence, and when combined with experience, makes for a more professional employee."
The survey also found that some 76 percent of CISOs report to their agency chief information officer, but none to the chief operating officer, the chief financial officer or the chief risk officer, which the CISOs believe limits their overall effectiveness. Meanwhile, most CISOs are satisfied with their jobs and intend to stay in government service.
