Government Security Execs Gain Insight From Private Sector
In an effort to bump up a painfully disappointing grade in IT security for the federal government, Rep. Tom Davis and the Federal CIO Council have formed an initiative that will unite chief information security officers (CISOs) with private-sector security executives. For VARs, the CISO Exchange could provide an opportunity to weigh in on operational security issues and assist in rolling out strategies.
Under the Federal Information Security Management Act (FISMA) of 2002, which governs federal-information security, agencies are assigned annual report-card grades for government security. Last year's grade for government agencies, overall, rose 2.5 points from 2003; that brings the grade to a D+. Furthermore, in a separate study conducted by security software provider Telos, federal CISOs expressed the need for a more linear connection to agency funding.
The good news for solution providers? There's a lot of work to be done.
"If you look at the results from the government and from the CISO community, it's very disappointing," says Steve O'Keeffe, executive director of the CISO Exchange, which was officially established Wednesday. "This group was established specifically for improving the process and overall results."
That community of CISOs will help facilitate education opportunities and best practices, provide a platform for voicing operational security issues and enable a public-private sector information exchange on IT security issues. The latter is particularly relevant, given results from an Intelligent Decisions CISO Study, conducted by Intelligent Decisions last year, that named software quality the biggest issue for government security, O'Keeffe says.
"Given that, how can you have a discussion about how to improve government security without the private sector?" he says.
Private-sector sponsorships will provide funding for the group, which will also have a board comprising private-sector companies to "offer industry perspective and insight," O'Keeffe says.
The CISO Exchange doesn't know yet which companies will sit on that board, but those chosen could serve as a mouthpiece for the rest of the industry (and a heads-up to VARs), noting which technologies and services best fit the federal government's stated needs, for example. The first board meeting is scheduled for May.
"There has been numerous streams of dialogue on who's responsible [for the grades]," O'Keeffe says. "But rather than nail one group to the wall, this initiative brings groups together to drive meaningful dialogue. Everyone can point fingers; what we need to do is frame this in such a fashion as to establish real traction."