In First Comprehensive Survey, Federal CISOs Give Opinions on Growing Threats in a Recession, CNCI, TIC, Building a Top Workforce and Their Role in a New Administration

PALM HARBOR, Fla., April 30 /PRNewswire/ -- (ISC)2(R) ("ISC-squared"), the not-for-profit global leader in educating and certifying information security professionals throughout their careers, today announced the key findings of its recent survey of federal Chief Information Security Officers (CISOs). The report, sponsored by (ISC)2, Cisco and Government Futures, was released today during an (ISC)2 ThinkTank Security Leadership Roundtable Webcast entitled: "A View from the Front Line: The State of Cybersecurity from the Federal Chief Information Security Officer's Perspective."

"The State of Cybersecurity from the Federal CISO's Perspective" is the first comprehensive survey of federal agency and bureau-level CISOs. It was conducted to get a front-line perspective on the current and future state of agency programs; which tools, technologies and resources CISOs think they need to accomplish their mission; how well federal security programs and initiatives are working; and whether the economy is affecting their ability to recruit and retain top personnel.

The survey data showed that CISOs believe the global economic crisis will increase risks to federal information and information systems, largely as a result of pressure to deploy solutions more quickly, but that the resulting lackluster employment market will improve the ability of federal agencies to retain key security personnel. The survey data also showed that federal CISOs are becoming more empowered within their agencies--with 90 percent viewing their ability to affect the security posture of the agency as significant or influential.

"The CISOs' responses clearly demonstrate that cybersecurity is evolving in terms of management priority," says W. Hord Tipton, CISSP-ISSEP, CAP, CISA, executive director of (ISC)2. "Although CISOs are still facing organizational challenges, we view it as a positive sign that CISOs feel they are being listened to by senior management and that their recommendations are, for the most part, being considered and implemented. However, that has not always been the case in the past."

Other key findings include the fact that nearly half of federal CISOs surveyed believe that, in today's uncertain and financially challenged environment, external threats resulting in data loss are now the biggest risk to the federal government, followed by insider threats and software vulnerabilities. However, CISOs are split on government progress in the battle to safeguard agency information and systems, with half of CISOs of the opinion that they are "turning the corner" and the other half stating that their agency is still "not getting ahead of the attackers."

The survey also uncovered CISOs' needs, priorities and recommendations for more secure federal systems. They include the following:

• They strongly favor a shift from compliance reporting to continuous monitoring, as well as the imposition of stricter security requirements during the acquisition of all major IT systems.
• CISOs wish they had more resources and even more senior buy-in than they're currently getting to accomplish their mission.
• Hiring of information security professionals remains weak at most agencies, but CISOs say that when they do hire, the most important selection criteria will be experience, professional certifications and communication skills.
• CISOs' top three current priorities are addressing threats to government information systems, improving cybersecurity governance and meeting compliance objectives.
• To help achieve those priorities, CISOs would like to have stronger intrusion detection and prevention tools, stronger authentication and more encryption.
• CISOs think good progress is being made with the Einstein and Federal Desktop Core Configuration (FDCC) programs, but they don't think the Homeland Security Presidential Directive-12 (HSPD-12) or the Trusted Internet Connection (TIC) programs have been as successful.

Notably, the survey found real frustration and a lack of confidence among CISOs in the Comprehensive National Cyber Security Initiative (CNCI), developed during the Bush Administration. They believe the program has too much of "an external focus," with the result being that not enough funds are being devoted to fixing longstanding agency security problems. To improve CNCI, more than 50 percent of CISOs say that they would like to see less classification around the program, greater attention to authentication and more access to Einstein data.

"With this report, CISOs are telling us that agencies need to move from a compliance-focused culture to one that emphasizes risk management and a more proactive approach," says John N. Stewart, chief security officer for Cisco. "Now is the time to lay the foundation. As the nation increases its reliance on networking solutions, a strong online security policy that takes into account the well-formed, front-line opinions and recommendations of CISOs from both the public and private sectors needs to be a central focus of our national security strategy."

Other findings in "The State of Cybersecurity" include the following:

• 75 percent of CISOs support mandatory professional certification for all government personnel working on information security systems, as already mandated at the Department of Defense through the 8570.1 Directive.
• 76 percent of CISOs report to the agency Chief Information Officer, but none to the Chief Operating Officer, the Chief Financial Officer or the Chief Risk Officer, which CISOs believe limits their overall effectiveness.
• Most CISOs are satisfied with their jobs and intend to stay in government service.

Responses for this survey were gathered over a three-week period in March 2009. Responses, gathered by telephone, e-mail and in-person interviews, came primarily from civilian, law enforcement and intelligence agencies. Lynn McNulty, CISSP, (ISC)2 director of government affairs, conducted the interviews. Bruce McConnell, founder of McConnell International and Government Futures, analyzed the responses and authored the report. An electronic copy of the report can be downloaded at www.isc2.org/ciso.

About (ISC)2

The International Information Systems Security Certification Consortium, Inc. [(ISC)2(R)] is the globally recognized Gold Standard for certifying information security professionals. Celebrating its 20th anniversary, (ISC)2 has now certified over 60,000 information security professionals in more than 130 countries. Based in Palm Harbor, Florida, USA, with offices in Washington, D.C., London, Hong Kong and Tokyo, (ISC)2 issues the Certified Information Systems Security Professional (CISSP(R)) and related concentrations, Certified Secure Software Lifecycle Professional (CSSLP(CM)), Certification and Accreditation Professional (CAP(R)), and Systems Security Certified Practitioner (SSCP(R)) credentials to those meeting necessary competency requirements. (ISC)2 CISSP and related concentrations, CAP, and the SSCP certifications are among the first information technology credentials to meet the stringent requirements of ANSI/ISO/IEC Standard 17024, a global benchmark for assessing and certifying personnel. (ISC)2 also offers a continuing professional education program, a portfolio of education products and services based upon (ISC)2's CBK(R), a compendium of information security topics, and is responsible for the (ISC)2 Global Information Security Workforce Study. More information is available at www.isc2.org.

(C) 2009, (ISC)2 Inc. (ISC)2, CISSP, ISSAP, ISSMP, ISSEP, CAP, SSCP and CBK are registered marks and CSSLP is a service mark of (ISC)2, Inc.

SOURCE (ISC)2