The Federal CISO Study -- from telephone interviews with 25 of the 117 Federal agency CISOs -- is based on the first empirical survey of these executives. The goal of the study is to examine the role of the federal CISO and to understand their daily duties, budget and management responsibilities. The study outlines current and future IT security priorities, trends, concerns, as well as attitudes toward commercial security vendors.
The study reveals a "class" divide among federal CISOs ---- those who control less than $500,000 and those who control more than $10 million in annual information technology (IT) spending. The security "have nots" are loaded down with administrative tasks and challenged to get to strategic security management functions. This class of CISOs devotes 45 percent of its time to FISMA compliance reporting -- an administrative task -- and just 22 percent of its time to the high-value security management functions of architecture development, inventory control, and vendor collaboration that FISMA is supposed to encourage. The security "haves" spend 27 percent of their time on FISMA compliance reporting. This class devotes almost 50 percent of its time to high-value security management functions.
"It is clearly time for private industry to get serious about software quality," said Harry Martin, president of Intelligent Decisions. "CISOs rank product quality and past performance as the two most important criteria for evaluating vendors and solution providers. The weight of mechanical FISMA compliance reporting is clearly an issue for smaller agencies. Sixty-three percent of Federal CISOs at small agencies are calling industry to develop a real-time FISMA compliance tool. It would be logical to develop such an offering as a managed service to reduce the financial and administrative burden on these smaller agencies."
Other key study findings:
- CISOs who control less than $500,000 annually: Spend 45 percent of their time on FISMA compliance reporting, 13 percent on troubleshooting, nine percent on network monitoring, nine percent on collaborating with vendor/contractor partners, eight percent on system administration, six percent on architecture development, and six percent on inventory control
- Consider the top three most important products/services to their agency to be network security/firewalls, intrusion detection/prevention systems, and authentication/PKI/encryption devices
- Supervise 2.6 dedicated IT staff on average
- Have served 3.2 years in their position on average.
- Spend 27 percent of their time on FISMA compliance reporting, 18 percent on collaborating with vendor/contractor partners, 18 percent on troubleshooting, 15 percent on architecture development, 12 percent on inventory control, nine percent on network monitoring, and zero percent on system administration
- Consider the top three most important products/services to their agency to be authentication/PKI/encryption devices, biometrics for user log-on authentication, and security information management tools
- Supervise 16.7 dedicated IT staff on average
- Have served three years in their position on average.
