By the (ISC)² U.S. Government Advisory Board Executive Writers Bureau (EWB)
At a recent GOVERNING Conference in DC, state and local jurisdictions discussed the recent collapse of agency information technology (IT) staffs in an effort to save scarce financial resources. Among the reported casualties were Chief Information Security Officers (CISOs), whose duties are now being subsumed by the Chief Information Officer (CIO). This begs the question whether this could also happen at the federal level, since a recent version of FISMA did not include mention of the CISO, rather the legislation would enable the CIO to appoint any senior person to lead the security program.
Given the existing fiscal crises, this may make sense for state and local governments from a cost standpoint, but the long-term impact will likely prove to be a devastating failure. To start with, the priority of a CIO is to manage the ongoing operations of information systems in order to ensure customer satisfaction and organizational efficiency. In other words, his job is to “keep the trains running on time.” Securing those systems often runs a distant second on his list of priorities due to the nature of this role. Further, experience proves that an inexperienced senior manager tasked with making authoritative decisions regarding the security of an infrastructure is an open invitation for disaster. A wise CIO appoints an experienced information security professional to play that role.
Why is it essential for an experienced professional to manage the information security program? First, the security function should not be biased by other IT operational priorities. Next, it takes the right skills to ensure that proper security controls and processes match the right solutions with the right degree of security. This type of experience includes not just technical proficiency but a widespread knowledge of IT, risk analysis, project management, security architecture and people management. Applying the proper level of security to an organization is a difficult endeavor. A risk management perspective and the ability to apply a risk management approach takes years to fully master and apply effectively.
What’s more, an experienced information security professional who leads a government program (federal, state, or local) must have a business orientation in order to properly understand the enterprise they are defending and to apply the level of controls that enable the organization’s business function. They must also have a good grasp on compliance so that their agency does not lose sight of how it is meeting basic standards and aren’t exposed by the internal ‘watchdogs’ found in every regulated industry.
So, is it really ‘bye-bye’ to state and local CISOs for the foreseeable future? Are agencies throwing out the baby with the bathwater by not simply moving the CISO role to another part of the organization that may have sufficient budget to assume the cost? Have not state and local governments recognized by now the importance that information security and good management of IT resources plays in the business of government? After all, in the world of federal budgets, we are starting to see cybersecurity given budgetary precedence as a "needs-based" and justified expenditure.