[ISN] Compliance taking over IT security chiefs' schedules

InfoSec News isn at c4i.org
Wed Aug 31 04:01:50 EDT 2005


By Daniel Pulliam
dpulliam at govexec.com 
August 30, 2005 

Agency chief information security officers are spending more time 
complying with laws governing the safekeeping of computer and network 
systems, according to a survey. 

With the burden of complying with the 2002 Federal Information 
Security Management Act growing, CISOs are spending an average of 3.75 
hours per day on FISMA, a law written to bolster agencies' computer 
and network security. Last year, the survey found that CISOs spent an 
average of 3.06 hours on FISMA compliance. 

Intelligent Decisions Inc., a technology firm based in Ashburn, Va., 
commissioned the 21-question [1] survey, which was conducted through 
online and telephone interviews with 29 top government security 
officials from both large and small civilian and Defense Department 

This was the second CISO survey that Intelligent Decisions conducted. 
The first survey [2] found that agencies with smaller information 
technology budgets were spending far more time on FISMA compliance 
than agencies with large budgets. Smaller agencies were those with 
less than $1 million in annual IT expenditures. 

The 2005 survey found that gap shrinking, with CISOs with smaller 
budgets spending between 51 percent and 59 percent of their time 
complying with FISMA and CISOs at larger agencies spending between 38 
percent and 40 percent of their time on compliance.

"You will still see that a majority of their time is managing that 
compliance reporting," said Roy Stephan, Intelligent Decisions' 
cybersecurity director. "We've seen them come back into alignment, 
where larger agencies and smaller agencies are spending about the same 
amount of time on compliance." 

According to the survey, about three-quarters of a CISO's typical day 
is spent on administrative tasks, which is down by about 33 percent 
from 2004. Strategic management tasks take up the other quarter. 
Intelligent Decisions speculates that IT security is becoming less 
like a technology program and more of a policy and process challenge 
for managers. 

The top trends identified by the survey were the increase of wireless 
and mobile devices, the rise of single sign-on and multifactor 
authentication, and the convergence of database and network security. 
Other trends included the convergence of physical security and 
cybersecurity, the growing interest in biometric systems, outsourcing 
of security functions to the private sector, and an increase in 
public-private partnerships. 

CISOs' top three concerns, according to the survey, were network 
security, system and application maintenance, and fulfilling FISMA 

Basing its information on a Government Accountability Office report on
wireless security [3] released earlier this year, the survey found
that chief among CISOs' concerns were unauthorized wireless access
points and wireless devices.

Of those surveyed, 46 percent said their agency used a wireless 
network, but there was inconsistent implementation among agencies of 
basic wireless security controls. 

[1] http://www.intelligent.net/publicweb/about/cisoSurvey.htm
[2] http://www.govexec.com/dailyfed/1204/120604p1.htm
[3] http://www.govexec.com/dailyfed/0505/052005p1.htm

More information about the ISN mailing list