Why Fed CIOs Worry Most About Infosec

Survey: Cybersecurity Ahead of Costs, Personnel as Top Concern Eric Chabrow (GovInfoSecurity) • May 5, 2012

Organizations that don't treat information security as a fundamental component of their businesses will be handicapped in achieving their goals. The threat of breaches, not necessarily the intrusions themselves, cripples the development of the tools and services organizations need to function.

That's a point made in a just-published survey from TechAmerica, the lobbying arm of America's information technology industry, of U.S. federal chief information officers, who characterized cybersecurity as their No. 1 concern.

In their recommendations to Congress and the Office of Management Budget, which oversees IT governance in the federal government, the report authors write that the threats cybersecurity tries to address represent one of the major barriers to achieving some of the IT management goals of the federal government, adding:

"Unless program managers and others believe that their data and digital operations are secure, they will be reluctant to take part in data center consolidation, shared services, the cloud or other cost-saving, efficiency-building initiatives."

In other words, perception is reality.

The report's authors made another valid point: IT security is good for business:

"The quest for cybersecurity often leads to these same initiatives because centralizing IT assets makes it easier to protect them. In this sense, savings and security should go hand in hand.

IT security isn't easy to pull off, especially when IT and IT security groups don't get the support of their non-tech bosses. Risk, as the report points out, is a difficult concert for most people to grasp, but it is one that is important to convey to users, executives and, in the federal government, to Congress. As one CIO says:

"Users do not often want to talk about risk, but we need to educate them about cyber risk and to become involved in deciding what risks to take. Constantly, we have to remind them about risk and their role in it."

Of course, addressing IT security risk jibes with the federal CIOs' No. 2 priority, controlling costs. One CIO respondent expresses a yearning for a financial model to assess how much each level of security costs, "one that would show us the 'knee' in the point at which more money starts to buy less security." Indeed, metrics analyzing performance, trends and prevention, as the report contends, could help achieve the right balance in traditionally risk-averse government agencies. That's true in most businesses, as well.

Cyber Incidents Soar

The reason why cybersecurity has become the top concern of the CIOs is a six-fold increase in cybersecurity incidents reported to the United States Computer Emergency Readiness Team from federal agencies from fiscal years 2006 through 2011 (see chart below). The Federal Information Security Act charges CIOs with the responsibility to secure their agencies' information systems.

How should CIOs confront their agencies' cybersecurity challenges? Here are suggestions from some of the CIO respondents:

Develop better official process for sharing threat information government-wide because too much flows through back channels, which is not an optimal way to communicate.
Determine who within an agency "owns" security authority. This is a big problem for CIOs because they do not control physical security and background checks that mitigate internal cybersecurity risks.
Plan for and build cybersecurity into new programs and systems, because today it is more of an afterthought.
Create sound metrics for the continuing performance of cybersecurity - they will likely give the government and Congress better guidance than the occasional headline-making incidents.

As one CIO observes: Cybersecurity isn't just about patches; it's a dynamic thread throughout the organization.

And, that's why IT security is so crucial to the functioning of all organizations today.