Compared to being head of infosec in the private sector, filling the role at a U.S. government agency has an extra downside in the mix.
As well as having to evangelize the concept both to skeptical executives and minions, haggle for a usually less-than-adequate budget and resources, and strive against ingrained workplace practices to implement a program, a federal government CSO is always under scrutiny by the Government Accountability Office – the congressional watchdog.
Chrisan Herrod knows all about the ups and downs of such a scenario. This month she celebrates two years as the first CSO at financial industry regulator the Securities and Exchange Commission.
After a ten-year career on the infosec front line, in both government-related organizations and the private sector, Herrod joined the SEC in 2003 and was tasked with creating an infosec program from scratch. The SEC gave her all the resources she needed, and her security program began to take shape.
But then, in March this year, the GAO published a report on the SEC.
Securities and Exchange Commission Needs to Address Weak Controls over Financial and Sensitive Data was jarring, says Herrod, adding that its title was "a bit inflammatory."
The GAO found several faults at the SEC, culminating in the assertion that it "has not effectively implemented information system controls to protect the integrity, confidentiality, and availability of its financial and sensitive data."
As a result, sensitive data – including payroll and financial transactions, personnel data, regulatory, and other mission-critical information – were at increased risk of unauthorized disclosure, modification or loss, possibly without detection. The GAO recommended the SEC "take several actions to fully develop and implement an effective agency-wide information security program."
Herrod believes that the GAO was "right on target" to focus on the fact that, during 2004, the SEC lacked a realistic program. But "what they didn't recognize, in my view, was that the SEC was moving forward to fix those things."
"That probably upset me more than anything else – the fact that they knew that this program was in its infancy. I would have rather them recognize the fact that the SEC was putting in place a program and that they would come around perhaps next year and evaluate it based on that... but I couldn't disagree with their findings."
Gregory Wilshusen, the GAO's director of information security issues, says that staffers noted throughout their report that the SEC was taking action to correct the weaknesses cited. In preparing their reviews, GAO analysts sent drafts to the agency for input, which is included in the reports, he adds.
As for the report's title, it is "accurate, fair, constructive in tone, and certainly reflective of the results we found at the time of our review," insists Wilshusen.
Herrod recalls that the paper's critical tone created a need for her to emphasize to her team at the SEC that the report was not a personal attack on them.
"The morale of my team suffered, but they all knew that it was coming," she explains. "I was very forthcoming with them about what the report was going to say. I had many opportunities to review the report before it was actually published, and where I could enforce changes in the report, I did.
"But the important thing was to keep my team informed and ensure they understood that they were not being blamed for the inadequacies of the SEC's security program. They were here to answer the call, if you will, accept the challenge, do the right thing, and they will all come out looking terrific, because they'll have been part of something that was building a program basically from the ground up," she says.
The SEC was not alone this year in receiving a knuckle-wrapping from the GAO. Others included the Department of Homeland Security, the Federal Deposit Insurance Corporation, and the Internal Revenue Service. The DHS responded to a critical May report with a letter refuting its findings.
"We agree that strengthening cyber-security is central to protecting the nation's critical infrastructure and that much remains to be done," wrote Steven Pecinovsky, director of the departmental GAO/OIG liaison office at the DHS. "We do not agree with the report's implication that the challenges experienced to date have prevented us from achieving significant results in improving the nation's cybersecurity posture," he added.
Herrod believes that next year's report will better reflect the efforts her team is making, but she is none too happy with a regulatory system that she says has government bodies "set up for failure."
While the Federal Information Security Management Act (FISMA) of 2002 has helped put security in the spotlight and provide federal CISOs with leverage, it has some major flaws, including the lack of a standard reporting structure, she believes. For example, agencies can claim to have four or five major systems that need certification, or they can say they have 500, depending how they wish to classify what they do.
"There are gaping holes in the way in which the whole act, in terms of its reporting structure, was developed," she says. Herrod hopes that in the future there will be a mechanism to make reporting more standard and meaningful across the agencies.
Her second major complaint with FISMA is its mandate that she as CSO report to the CIO. "It is a fundamental flaw in the design of the legislation because what it does is relegate security to a technology problem," she says.
"Right away, you lose credibility: 'Oh, it's just a technology problem, it's not a business problem'."
Security is not about technology, she insists: "It's about people and processes and aligning your business risk with the way in which you want to function."
She says that the CFO or COO in an organization should be responsible for security, rather than the CIO.
"Then it elevates the function and you can basically integrate your personnel, your physical, your disaster recovery, your risk management piece, your privacy piece together under one leader," she says.
"The FISMA process is not a perfect one and it's not a panacea," admits Drew Crockett, spokesman for the House Government Reform Committee. And he acknowledges that "there might be a need for amendments to facilitate implementation of the security concepts that drive FISMA."
However, the grades federal agencies receive each year based on their FISMA compliance do provide Congress with a "snapshot view to gauge agencies' information security progress," and offer agencies an "objective benchmark from which to analyze their needs, strengths, and weaknesses," adds Crockett.
The overall IT security grade for 24 agencies in 2004 rose slightly from the previous year, but was still only a D+.
FISMA is a much more rigorous infosec process than agencies have had to deal with in the past, so there is a learning curve, says Richard Tracy, CSO at Telos, a provider of IT solutions and services to the federal government.
But federal CISOs have expressed some frustration about a lack of clarity of FISMA guidelines, such as the definition of a major system, he adds.
"Agencies are having a difficult time inventorying systems – what qualifies as one type or another," he explains.
"The inventorying process is a lot more difficult that it would seem to be."
As for Herrod's complaint about FISMA requiring CSOs to report to CIOs, large organizations – particularly those in the financial services and energy industries – are moving the CISO from the IT department into enterprise risk management, according to a recent report by Forrester Research.
Jaime Chanaga, managing director of consulting firm The CSO Board, agrees that the structure does not bode well for security.
"Certainly, having them report within the IT organization, or reporting directly to the CIO, will cause a potential conflict of interest," he says.
"CIOs' goal is to provide, for example, quality of IT services or reliability. From that perspective, they sometimes might have differing goals in terms of security. They might go the route of what's most practical for an organization, not necessarily what's most secure."
A COO or a CFO, meanwhile, works from a risk management perspective and might be more willing to support a CSO's initiatives. "Security should be a business issue at the business table and not be limited to a technology-centric point of view," he concludes.