Survey: Most federal CISOs not moving to cloud yet

The second annual State of Cybersecurity from the Federal CISO’s Perspective has been released. (ISC)2 and Cisco, along with Garcia Strategies, put together their second anual report based on questions answered by a broad cross-section of U.S. government chief information security officers.

Fed Cloud Blog got to sit down with David Graziano, operations director for federal security at Cisco and Lynn McNulty, former director of government affairs at (ISC)2 to get their perspective on what the survey shows.

Today, we bring you excerpts of the conversation.

Why the survey was conducted

LM: We looked around and . . . came to the realization that a lot of people do surveys of CIOs and chief technical information officers and other categories of people, but nobody does a regular, annual survey of CISOs, particularly in the federal community, their role has been changing and is taking on a great deal of importance over the last couple of years and we thought it would be appropriate to reach out to them.

Survey result: There is more satisfaction with EINSTEIN

DG: The EINSTEIN program is put in place by the Department of Homeland Security, and it really is a way to monitor and protect the federal government Internet gateways. The Department of Homeland Security, and specifically US-CERT, put in place the EINSTEIN program over the last few years, and its predominantly there to monitor traffic going in and out of the federal government for the purpose of looking for malware and attempted attacks [and] attempted threats to the penetrate the federal government.

The most interesting part of the aspect of our survey in this area is that we found that . . . CISOs are telling us that they are generally satisfied with the EINSTEIN program. I found that that was very interesting because, a couple of years ago when we did this survey, our respondents were questioning how useful or how valuable EINSTEIN was going to be. The [current] survey has definitely indicated that it is heading in the right direction.

On the changing role of the CISO

DG: Federal CISOs realize that their role is becoming more strategic. That’s definitely, probably the number one finding of this survey. Security is now recognized as being more relevant to an agency’s mission, and, because of that, there’s better alignment with driving agency policy and direction. What we believe has happened is, over the last couple of years . . . federal CISOs were focused on getting their FISMA report cards. Now, all of a sudden, the relevancy of recognizing cybersecurity is critical to an agency’s mission, and has really elevated federal CISOs to becoming more strategic in their organization.

LM: I totally agree with David and I think it’s also one of the impacts of the
Comprehensive National Cyber Initiative — it has resulted in this kind of much more senior level management attention upon the security issue, with the result that the CISO has probably spent a lot more time in front of a very senior department and agency officials, and has been given tasks and implementing responsibilities that are much more strategic in nature than they are technical in nature.

Are federal CIOs and CISOs hesitant about moving to the cloud?

DG: One of the interesting things from the survey was that 72 percent of our respondents are not using cloud computing. What that tells me is that, while everybody’s talking about it and talking about how great it’s going to be, it means that only 28 percent of our customers are really diving into it. Chances are, that’s primarily due to security concerns, whether it’s data loss or an inability to enforce policy.

If you think about it, whether it’s a private cloud or a public cloud, either way you have to be able to extend your policy into that cloud in order to protect the information that resides there. So, probably what we’ll see, say, over the next two years, is that ability to extend policy into the cloud, and be able to enforce it, and that will reduce the risk and allow our customers to move there. Right now, they’re looking at it and not jumping in.

LM: I think they’re very concerned about the level of risk that’s involved, the potential loss of control over data, and from what I heard from just talking with CISOs, they’re going to move into the cloud, but those applications that get put into the cloud are going to have a very low risk level. It will allow them to gain some experience, and also to feel much more comfortable before they start moving any more sensitive information into cloud computing, particularly if there’s an offshoring element involved in the application.

Does OMB’s Information Systems Security Line of Business facilitate the sharing of best practices when it comes to initiatives like cloud?

LM: I think it does facilitate collaboration. Also, I think agencies will be looking at the Line of Business as a worked example and one that may be better for them to use from both security and economy and efficiency reasons, rather than trying to duplicate that same capability within their own organization.

DG: I agree. If you look at the TIC initiative, for instance. At many agencies, it was going to be cost-prohibitive for them to stand up a security operation center. So, by going and being able to collaborate with other agencies and rely on their expertise, it gave [them] the ability to better protect themselves [and] improve the security of the organizations without spending the money to stand up their own secure operations.

Former federal CIO: Cloud knowledge important for overall cybersecurity

Fed Cloud Blog continues its discussion with Hord Tipton of ISC(2).

Today he talks with us about the ‘hype’ around cloud computing, and whether there is too much of it.

HT: One could have that opinion, I guess, but I think it is such an important topic that it’s worth going under an opinion such as that.

When you combine cloud computing with the other game-changing technology and the use and explosion of cell phones, collaboration [tools] and all of that, our security people are just overwhelmed with new problems to solve, or new approaches and new risks that they have to somehow figure out how to deal with.

What the catch-all name of ‘cloud computing’ does for us is make us focus on the point that this really and truly is an issue that we need to get out in front of, not with the notion of trying to stop it or slow it down, because it’s already out of the gate — it has been for, in my opinion, a few years — but how do we identify the problems? How do we take advantage of the findings and the concerns that have already been expressed through other working groups and reports that we’ve read?

At this point, we got interested because we think there’s all sorts of concerns expressed that point at potential problems, but the focus, in my view, has not really sharpened to the point that it’s provided useful information for executives and security professionals as to — okay, now we know we’ve got a problem, what’s the best way to approach it?

So, we’re looking at it and we are taking the information that we have — we take the concerns that are already expressed — and now we’re trying to wrap this into a focused report that can point out some best practices in terms of dealing with the issues that we know about. Some we’ve known about for years, and others are a bit new and we may not have had to deal with them, but they’re all of a sudden very, very real.

FCB: You actually answered our last question, which was — what are you hoping to learn? Is there anything else you wanted to add?

HT: I guess I would simply say that cloud computing, Web 2.0 and all the remote computing [tools] are part of our business now. Looking at it as a game-changer set of technologies, all of us are going to have to adjust our positions on the field.

Just staying current with it — we have 67,000 members out there that we try to keep tuned in and sharp on this. We provide them information — and keeping our security forces and our people tuned to what these issues are is part of the continuing education that we build into the ISC(2) certification process.

It’s just not enough to have smart people. You have to keep people smart. And they have to be smart, particularly in this day and age, in how to operate in the cloud.

ISC(2) starts cloud security working group

ISC(2) is starting a cloud security working group. This week, Fed Cloud Blog talks with Hord Tipton, their executive director, and former CIO at the Interior Department.

FCB started by asking him to explain what his company’s role currently is in the federal cloud space.

HT: ISC(2) is a non-profit organization dedicated to good security in the IT space, regardless of where it is — on the ground or in the cloud, or anywhere that data may be in search of a good guardian.

FCB: We understand you have a cloud security working group coming up. Let’s talk a little bit about that. How did this whole idea come about?

HT: Well, cloud computing seems to be the hot topic of, probably over the last six months — maybe to a year — and, frankly, those of us that have been in this business for a long time think that we’ve simply refined it or put another name on it or are focusing on the expansion of the use of cloud computing. If you really stop and think about it, it’s not new, it’s just exploding.

FCB: Who’s taking part in this security working group?

HT: We thought that we would put a group together and focus primarily on the government space and see if we could address the issues that have been raised on this over the last six months to a year and come up with some recommendations or some best practices to try to address the issue.

Representatives in the group — and we should give recognition to our partner on this, as well — Cisco Federal — but they include members from Department of Justice, Veterans Affairs, NSA, IRS and some others.

FCB: So, you’re getting all of these people together. Is this going to be a one-time thing, or a monthly [meeting]?

HT: Our game plan is to work this through, get as much good information and focus as we can on this and produce some preliminary results at our upcoming conference at the end of May. [It is] our Secure America conference and we always have good attendance at that. At that point, we will continue to refine the study and then report back with a final report in November at the 1105 Security Conference.

FCB: So this report will be open to the general public?

HT: Absolutely.

FCB: Let’s talk a little bit about some of the concerns surrounding cloud computing as a whole. Is this working group going to look at subjects like security, because we know from doing these interviews a lot of people are concerned that once they move to the cloud formula, so to speak, they’ve got all this data out there — but, you mentioned earlier that cloud computing is nothing new. So, how are you looking at security now in terms of that?

HT: Well, if we stop and think about it, the issues that we’re concerned about by operating in the cloud aren’t really all that new or different than issues that our security professionals and technicians face every day. We simply have expanded the way by which we negotiate those concerns. We simply moved our data to a different place, and now all of a sudden we find there are more people involved in protecting that data. We certainly aren’t going to walk away from it and totally trust someone else to handle that for us. There are so many different ways and uses of technology that you really have to be cognisant of and stay in touch with — but, to me, we have simply relocated some of the issues that relate to security and protection of that data.

Later this week: more from ISC(2)!

In case you missed it: This week in cloud news

What happened this past week when it comes to the cloud?

Today, we answer that question.

On Tuesday

On this week’s Federal Tech Talk on Federal News Radio, host John Gilroy talks with Lynn McNulty, Director of Goverment Affairs at (ISC)2. The two talk about a variety of topics, but during the third portion of the show, they devote about 10 minutes specifically to cloud. We encourage you to listen to the whole program, but wanted to point out exactly where the “cloud talk” was.

On Wednesday

We talk a lot about what you should move into the cloud, but what shouldn’t you move? On In Depth, host Francis Rose talked with Mark Forman, a partner with KPMG and former Administrator for E-Government and Information Technology at the Office of Management and Budget. Listen to the whole interview and read the article here.

On Thursday

OMB is going to require agencies to develop an alternative analysis discussing how they could use cloud computing for all major technology projects for the fiscal 2012 budget. Federal News Radio’s Jason Miller brings us a wealth of information in this article.