Being a Government Security CISO: Life in the Fishbowl

Information Security is Information Security, Right? It shouldn’t matter if the organization needing protection is a government agency operating in the public sector or a private enterprise, should it ? Well, technically, no. Essential security practices should be delivered for whichever environment the Security Officer is operating in, however there are several forces which drive the security program in the public sector that are different from the private sector.

The primary difference is that while the private sector Chief Information Security Officer (CISO) must still deal with the plethora of government regulations, the primary driver of security initiatives is to support and protect the profitability of the corporation. The public sector CISO, including those employed by a branch of government (federal, state, local or tribal) or those of large non-profit organizations such as the Red Cross, American Cancer Society, or AARP, is primarily driven by and obtains their authority from the various statutes which have been passed to correct problems resulting in the compromise of citizen information or the loss of taxpayer dollars.

Public Reporting With FISMA
As Lynn McNulty, former associate director of the National Institute of Standards and Technology (NIST) illustrates in his chapter “The Public Sector CISO: Life In The Fishbowl” in the new book on security leadership published by ISC2 entitled, “CISO Leadership: Essential Principles for Success“, public sectors CISO’s must deal with a very complex regulatory environment. The security regulations have gone through multiple changes, each in an effort to increase the authority of the security function and visibility of the security controls. The latest comprehensive legislation was the E-Government Act of 2002, Title III, known as the Federal Information Security Management Act (FISMA) which required each federal agency and their contractors to develop, document, and implement an agency-wide security program to protect the information and information systems that support agency operations and control agency assets. One of the key aspects of this law was to put in place formal public reporting and “report card” scoring of the security of the various agencies. While there is much debate about whether or not FISMA is an effective and efficient way to provide security, it has certainly elevated the visibility of the security function and the CISO. The debate is primarily concerned with whether or not “compliance=good security” and whether or not the time-consuming paper intensive certification and accreditation processes are necessary. FISMA has clearly made an impact, as federal agency security spending is in excess of $5 Billion, representing greater than 12% of the Federal Security budget.

Constrained Budgets
While the security spending may have increased, the leadership challenge for the public sector CISO is how to manage resources that are borrowed from other operational areas and manage the programs with limited resources. While this dilemma certainly exists in the private sector, resource constraints are even more pronounced in the federal agencies. Budgets are typically unable to be filled during the first few months due to “continuing resolution”, whereby spending must be kept at the prior year’s funding level until congressional approval is obtained. The CISO must be aware of the funding mechanisms, the cycle for funding, and have the ability to plan strategically for those items which may be multi-year initiatives.

Whose Laptop Was Stolen?
The public sector CISO has the risk of security incidents receiving that “extra level” of public scrutiny. When the Department of Veterans Affairs laptop was stolen containing 26.5 million records on military personnel, this was big news. Congressional committees announced public hearings, tough questions were asked about how this incident would be prevented in the future, reorganizations involving staff changes were announced, and the visibility of the incident was widespread and reported endlessly by the media. While the private sector CISO faces challenges during security incidents, the information does not necessarily gravitate to the public scrutiny imposed by the legislative entities which debate these issues in a public forum. The CISO must be able to have the communication skills to withstand the tough questions.

Increased Threat Profile
Financial institutions and those involved in the nation’s critical infrastructure must be vigilant against a range of threats similar to the CISO of a federal agency, from teenage hackers to sophisticated threats by foreign governments to penetrate the government systems. The CISO must develop programs that go beyond “best practices” in these cases to minimize these targeted attacks. Hence, the CISOs for several government agencies such as the Department of Defense, NASA, Department of Energy Laboratories, etc., have an elevated focus to these types of attacks of classified information. The CISO must me able to conduct an appropriate risk assessment of the threat environment and create actions to mitigate the risk with limited resources.

Time to Bring In another Fish
As the public sector CISO is swimming around in the fishbowl, there are very few places to hide. A rock here, a shell there, but as quickly as the fish tries to hide, the fish realizes that it there is no safe place to hide. So, the fish keeps swimming and realizes that their moves had better be good, because everyone is watching. As one that has flushed many goldfish as a kid down the drain of fish-heaven, if the fish is not aware of their surroundings, has too small of a bowl to operate in, and doesn’t get the food resources needed, the fish will soon be joining the fish that went before him. And, it doesn’t matter how beautiful that fish may look while it swims.

Post a Comment

Your email is never published nor shared. Required fields are marked *