Is this you too?
To understand what it's like to be a federal chief information security officer, consider Larry Ruffin. As CISO at the Interior Department, his job could be described as having little to do with being a chief and not much more about security.
Although he regards Interior's current information security as "far from inadequate," Ruffin and Chief Information Officer Michael Howell don't have a way to check that the department's network security is configured correctly or to monitor suspicious activity on a daily basis. Ruffin also has no authority and few resources to check on the security of employees' equipment, such as laptops, workstations and servers, or to monitor specific applications. He has to rely on verbal and written promises from Interior's bureau managers that they are complying with security policies. To a limited extent, Ruffin says, he conducts on-site checks of systems, which in the end offer little insight into the state of IT security departmentwide.
"How do you take control, when you don't [have authority over] the funds or maintain clear authority to make decisions? That stymies processes," Ruffin says. "We don't get clear approvals and don't feel empowered to make decisions that might have budgetary impacts. Those decisions can get made, but rarely."
Ruffin isn't alone. His experience is common to CISOs across government. Security budgets are paper thin, and CISOs rarely have the authority to enforce security policies down deep into individual department offices. Their job is one of frustration; they're aware of what's required to protect agency networks, but unable to get the job done. It's no wonder that more security analysts are warning of serious security breaches, if they have not occurred already...
The CISO job today is more of a policy- and compliance-reporting position than one that tests and monitors networks. And the job has limited power to oversee a department's systems. As a result, says Mike Jacobs, former information assurance director at the National Security Agency and now an independent consultant, the federal government is at its "weakest state ever" in terms of homeland security. "I'm struck with how little power and capability to influence the CISOs have," he says. "Most are left to cajole those who own the IT funds to do what needs to be done from a security standpoint. Few, if any, have direct responsibility."
This excerpt is from Top IT cops say lack of authority, resources undermine security by Jill R. Aitoro of GovExec.com.