Source: [id: 41018; name: CSO; isActive: true; siteId: 3] -- CSO -- $content.altguid

The Failed Exchange

Is it time to establish a federal CISO Council?

By

May 17, 2005CSO — This just in: another chapter in the heavy book about how the federal government is relegating cybersecurity to a little room under the stairs.

In case you havent heard, the proposed federal CISO Exchange has imploded, after U.S. Office of Management and Budget withdrew its support for the nascent program.. It was a good idea done in a bad way: a public-private initiative focused on bringing together federal CISOs with private industry to improve the governments near-failing information security report card (very good), and a for-profit forum led by a slick PR man, with memberships that would cost up to $75,000 (very bad).

In all the squabbling over whether private-industry members would have been buying access to political heavyweights, there seems to be just one thing that everyone agrees upon: Federal CISOs need a place to formally come together. Worrying about a joint community for CISOs and private industry seems a little like putting the cart in front of the horse, when right now, federal CISOs dont even have a formal setting where they can convene without private industry.

In fact, there are four good models for how this kind of group could be set up. They are the Chief Information Officers Council, the Chief Financial Officers Council, the Chief Human Capital Officers Council and the Chief Acquisition Officers Council. Each of these inter-agency groups provides their Os with a forum for talking about industry best practices. But while their membership parallels what the CISO Exchanges would have been (minus the vendors), there are two big differences. The Councils are mandated by the federal government, and they are paid for by the federal government.

They do what they call pass the hat, explains Gary Winters, director of interagency management in the General Services Administrations Office of Governmentwide Policy. Each agency ends up contributing based on an algorithm that comes up from OMB [the Office of Management and Budget]. The one exception is the Chief Human Capital Officers Council, which is administered by the federal Office of Personnel and Management. The Councils are not expensive, Winters adds, because they have little overhead.

Still, it would take a lot more than a press conference or two to get a CISO Council off the ground. Unlike the CISO Exchange, each of the Councils was created by federal legislation. The CIO Council, for example, was created by Executive Order and later the E-Government Act of 2002, and the CFO Council was created by the Chief Financial Officers Act of 1990. Rep. Tom Davis (R.-Va.), who announced the formation of the CISO Exchange, does not seem poised to introduce such legislation. He has distanced himself from the failed Exchange to the extent that his office did not answer questions about its next possible iteration.

RESOURCE CENTER