The second annual State of Cybersecurity from the Federal CISO’s Perspective has been released. (ISC)2 and Cisco, along with Garcia Strategies, put together their second anual report based on questions answered by a broad cross-section of U.S. government chief information security officers.
Fed Cloud Blog got to sit down with David Graziano, operations director for federal security at Cisco and Lynn McNulty, former director of government affairs at (ISC)2 to get their perspective on what the survey shows.
Today, we bring you excerpts of the conversation.
Why the survey was conducted
LM: We looked around and . . . came to the realization that a lot of people do surveys of CIOs and chief technical information officers and other categories of people, but nobody does a regular, annual survey of CISOs, particularly in the federal community, their role has been changing and is taking on a great deal of importance over the last couple of years and we thought it would be appropriate to reach out to them.
Survey result: There is more satisfaction with EINSTEIN
DG: The EINSTEIN program is put in place by the Department of Homeland Security, and it really is a way to monitor and protect the federal government Internet gateways. The Department of Homeland Security, and specifically US-CERT, put in place the EINSTEIN program over the last few years, and its predominantly there to monitor traffic going in and out of the federal government for the purpose of looking for malware and attempted attacks [and] attempted threats to the penetrate the federal government.
The most interesting part of the aspect of our survey in this area is that we found that . . . CISOs are telling us that they are generally satisfied with the EINSTEIN program. I found that that was very interesting because, a couple of years ago when we did this survey, our respondents were questioning how useful or how valuable EINSTEIN was going to be. The [current] survey has definitely indicated that it is heading in the right direction.
On the changing role of the CISO
DG: Federal CISOs realize that their role is becoming more strategic. That’s definitely, probably the number one finding of this survey. Security is now recognized as being more relevant to an agency’s mission, and, because of that, there’s better alignment with driving agency policy and direction. What we believe has happened is, over the last couple of years . . . federal CISOs were focused on getting their FISMA report cards. Now, all of a sudden, the relevancy of recognizing cybersecurity is critical to an agency’s mission, and has really elevated federal CISOs to becoming more strategic in their organization.
LM: I totally agree with David and I think it’s also one of the impacts of the
Comprehensive National Cyber Initiative — it has resulted in this kind of much more senior level management attention upon the security issue, with the result that the CISO has probably spent a lot more time in front of a very senior department and agency officials, and has been given tasks and implementing responsibilities that are much more strategic in nature than they are technical in nature.
Are federal CIOs and CISOs hesitant about moving to the cloud?
DG: One of the interesting things from the survey was that 72 percent of our respondents are not using cloud computing. What that tells me is that, while everybody’s talking about it and talking about how great it’s going to be, it means that only 28 percent of our customers are really diving into it. Chances are, that’s primarily due to security concerns, whether it’s data loss or an inability to enforce policy.
If you think about it, whether it’s a private cloud or a public cloud, either way you have to be able to extend your policy into that cloud in order to protect the information that resides there. So, probably what we’ll see, say, over the next two years, is that ability to extend policy into the cloud, and be able to enforce it, and that will reduce the risk and allow our customers to move there. Right now, they’re looking at it and not jumping in.
LM: I think they’re very concerned about the level of risk that’s involved, the potential loss of control over data, and from what I heard from just talking with CISOs, they’re going to move into the cloud, but those applications that get put into the cloud are going to have a very low risk level. It will allow them to gain some experience, and also to feel much more comfortable before they start moving any more sensitive information into cloud computing, particularly if there’s an offshoring element involved in the application.
Does OMB’s Information Systems Security Line of Business facilitate the sharing of best practices when it comes to initiatives like cloud?
LM: I think it does facilitate collaboration. Also, I think agencies will be looking at the Line of Business as a worked example and one that may be better for them to use from both security and economy and efficiency reasons, rather than trying to duplicate that same capability within their own organization.
DG: I agree. If you look at the TIC initiative, for instance. At many agencies, it was going to be cost-prohibitive for them to stand up a security operation center. So, by going and being able to collaborate with other agencies and rely on their expertise, it gave [them] the ability to better protect themselves [and] improve the security of the organizations without spending the money to stand up their own secure operations.