• United States



by David H. Holtzman

The Highs (and Lows) of the CSO

Aug 01, 20034 mins
ComplianceCSO and CISOGovernment

Pity the public-sector CSO. He has to overcome all the typical security pitfalls-and he gets to do it all in a bureaucratic fishbowl.

It’s not an easy trek, becoming a security manager. But of all the possible security executive jobs out there, none is probably as challenging as the public-sector job. The government CSO most likely has climbed his career mountain without a Sherpa or a harness to catch him if he falls.

For starters, cultural and situational issues unique to government jobs make for a particularly tough journey for the government CSO. In the Office of Management and Budget’s 2001 Government Information Security Reform Act report to Congress, for example, six IT security weaknesses in government were identified. They included a lack of attention to IT security by senior management and nonexistent IT security performance measures. In addition, the report cited poor security education and awareness, a lack of fully funded and integrated security, a failure to ensure that contractor services are adequately secure, and a problem with detecting, reporting and sharing information on vulnerabilities.

Although those weaknesses exist outside the public sector, they are exacerbated in government agencies where procedural problems and incompetent management can inflate them. Here are the facts:

Government security officers have less control than their civilian counterparts. While industry executives are constrained by their budgets, government employees have to buy goods and services from a GSA-approved list, and they are bureaucratically hampered in their hiring. They are also critically dependent on outsourced labor and do not have insightbeyond routine security clearancesinto their contractors’ backgrounds.

All federal executives live in a fishbowl. In the private sector, CSOs answer solely to the executive team. Public-sector CSOs have lists of executives they report to. These CSOs are also subject to investigations by regulatory agencies such as the GAO or the OMB and congressional committees.

The fat lady never sings for government employees. The actions of the government CSO can become public information via FOIA (Freedom of Information Act) years later, even if he’s no longer a government employee. The federal wind blows in many directions and the political climate can change quickly; the decisions that government CSOs make today will be measured, in hindsight, using a moral barometer that is calibrated to tomorrow’s regulatory environment.

Government computers will always be prime targets. In theory, security should be taken seriously everywhere, but in practice, some places are more likely to attract problems than others. Government data centers are prime targets. If the motive is terrorism or information warfare, the hackers involved will be highly motivated professionals with an agenda, not disgruntled employees or bored teenagers.

Defending a prime target is very different than installing perimeter protection. The defensive stance employed by CSOs is based on the same principle that is followed by virus checkersblock things that have been seen before. But the hot spots (such as government networks) will experience the destructive and innovative tactics of experienced hackers. It’s much harder to defend against innovative attacks that you haven’t encountered before than those that you have learned to block.

Conflicting messages are difficult to decipher. An unenlightened management group armed with high expectations is a difficult group to work with. I once recommended a new client/server system to a senior government customer and was told that servers cost too much; they just wanted clients. I’m reminded of that story when I read about proposed e-government initiatives that lack a commensurate budgetary increase for agency security. The GAO said earlier this year that “significant information security weaknesses continue to place a broad array of federal operations and assets at risk for fraud, misuse and disruption.”

The fact is, U.S. information security is in lousy shape. Outsourcing and privatization are not likely to improve the situation and might actually make it worse. True security, however, is patient professionalism fueled by adequate funding.