Chief Information Security Officers Balancing the Business Case rather than the Checklists

Posted by Kathleen Smith

Within the last few years there have been many known wide spread attacks on government agencies and many more that have not been well known.

At the Bethesda AFCEA monthly breakfast, an impressive panel shared their thoughts on the challenges and changes occurring in the role of the Chief Information Security Officer’s role in protecting the government’s assets.

While it may seem like a simple case of looking of implementing stricter technology controls, the role of the CISO has moved beyond technology and into looking at the business case. The panel consisted of leaders and longtime information security professionals in very diverse fields: NASA, NRC, FDIC and VA. All not only in control of sizeable agencies but also in charge of very complex sets of data.

Some of the main challenges that present themselves for this panel were not the security issues, but more of the lists and checklists that are required of each CISO to handle. Information security has been more about following outdated checklists and not about protecting assets and supporting the business case.

Now the CISO’s role is to balance the business case with the risk where before it was the just to do the checklist.

The impetus for this discussion began with Jerry Davis’, Deput CIO for IT Security at Goddard Space center memo in May 2010 where he outlines the break that is needed from following FISMA into balancing risk and the business case and how this is supported by recent Administration directives.

This memo was then heralded by other CISO’s and industry professionals as the watershed to move beyond the checklists and into security monitoring.

Jerry Davis Memo
NASA security chief orders bold change to secure networks

The panel identified some key issues that they are addressing individually as CISOs

  • Software being the biggest vulnerability vector
  • Not enough of a talent pool
  • No clear certification process currently in place
  • Industry not understanding each agencies’ risk profile
  • Each agency responsible for different sets of data which provides it own set of business risks

The panel shared how diverse their sets of data are that they have to protect: VA is protecting personal medical information from over 1700 facilities across the country, NASA is protecting both classified and unclassified information; FDIC at any one time could be protecting bank information for 72 hours depending which banks are shutting down; NRC has a completely different set of security controls based on their facilities.

The biggest opportunity now is that the CISO is no longer in the parking lot or at the kids tables but actually is in the C suite and sitting at the big kid’s tables discussing the business issues facing each agency and how to keep this secure.

Interestingly enough the CIO Council was stood up again last year to include many leading CIOs and the good question was raised during the Q&A as to why was there not such a council for CISOs?  The panel stated that currently the sharing of information was solely based on the personal relationships that they have built with each other over the years rather than any kind of formal relationship.

With the CISOs now coming into the C-Suite and having a place at the table, it is high time for these professionals to have a way to share information and pass on best practices to each other and their teams.

This entry was posted on Tuesday, June 29, 2010 12:30 pm

One thought on “Chief Information Security Officers Balancing the Business Case rather than the Checklists”

  1. While I agree with the lastest CISO approach, it’s all about the processes and procedures which provide comprehensive, upto date security and providing scaled processes. We’ve leveragered the seven step practices of Business/Government Continuity and integrated a security component to understanding high priority targets and methods to protect, detect and correct vunerabilities while addressing continuity of operations. We strongly suggest similiar program procedures.

    In addition, one key vunerability consistently is within disaster recovery processes and this approach helps to provide comprehensive secuirity.

Leave a Reply

Your email address will not be published. Required fields are marked *

Notify me of updates to this conversation