Second Federal CISO Study Reveals Concerns

Aug. 29, 2005
CISOs concerned over wireless security standards, software quality concerns

Ashburn, VA – Intelligent Decisions, one of the fastest growing systems integrators in the Washington, D.C. metropolitan area, today announced the results of its second annual Federal Chief Information Security Officer (CISO) Study. Across the board, Federal CISOs ranked increasing software quality assurance as the number-one area on which the private sector needs to focus, pointing directly to continuing major issues with software quality. The study highlights network compromise, patch management, and FISMA compliance among the major concerns that keep Federal CISOs up at night.

The Intelligent Decisions' second annual Federal CISO Study, based on telephone interviews and online surveys with 29 Federal agency CISOs from civilian and defense agencies of all sizes, follows the first annual empirical survey of these executives released in November 2004. The goal of the second study was to measure progress against the results of the first study and to capture a better understanding of the Federal CISO role, daily duties, budget, and management responsibilities. In addition to outlining current and future IT security priorities, trends, and concerns, the second study also queried Federal CISOs on issues relating to the security of their agency's wireless networks.

The second study reveals that Federal CISOs across the board are now spending 23 percent more time on FISMA compliance reporting than last year. Compared to the first study, Federal CISOs controlling more than $10 million in annual information technology (IT) expenditures are now devoting 48 percent more time on FISMA compliance reporting, while Federal CISOs controlling less than $500,000 are devoting 13 percent more time on these activities. This suggests that since the first study, the Federal CISOs at large agencies are becoming just as challenged as Federal CISOs at small agencies to carry out the strategic security management functions FISMA intended.

Federal CISOs also identified the expanding use of wireless networks and mobile devices as the number one trend anticipated to increase momentum over the next year. The study highlights unauthorized wireless access points, preventing unauthorized wireless deployments, and rogue WiFi devices among the major wireless security concerns that keep Federal CISOs up at night.

Yet, despite these and other concerns, 54 percent of Federal CISOs at agencies that maintain wireless networks indicated their agency has not implemented the four basic wireless security controls recommended in the Special Publication 800-48 by the National Institute of Standards and Technology (NIST). These controls include: comprehensive polices in the implementation and use of wireless networks, configuration requirements for deployment of wireless security tools, monitoring programs to ensure policy compliance, and wireless security policy training for employees and contractors

This finding suggests that the absence of clear, mandatory controls has led to a FISMA disconnect on wireless security, with many Federal agencies failing to ensure that proper controls were in place before rolling out wireless networks. To address the scattered implementation of these four basic controls, NIST plans to release revised wireless security guidelines for comment in September. These revised guidelines will form the basis for a new mandatory Federal Information Processing Standard (FIPS). Once issued, the new FIPS will mandate the adoption of these basic controls, among other standards, that will have a major impact on an agency's IT investment and FISMA compliance obligations.

"Federal CISOs have spoken loud and clear that it is well past the time for private industry to get serious about software quality," said Harry Martin, president, Intelligent Decisions. "Despite larger budgets and dedicated IT staff, Federal CISOs at larger agencies are becoming just as pressed as small agency CISOs to perform the strategic security management role that FISMA envisioned. Finally, given the scattered deployment of wireless security controls, questions remain as to whether Federal agencies are sufficiently prepared for mandatory standards."

Study Highlights:

  • The FISMA burden continues to grow as Federal CISOs now spend an average of 3.75 hours per day on compliance activities compared to 3.06 hours per day in the first study.
  • The top three trends Federal CISOs anticipate increasing over the next 12 months include: expanding utilization of wireless networks and mobile devices, single sign-on/multifactor authentication, and convergence of database and network security.
  • The top three products Federal CISOs consider most important to their agencies include: network security/firewalls, disaster recovery/continuity of operations planning, and authentication/PKI/encryption devices.
  • The top three activities Federal CISOs identify as the most important for the private sector to consider include: increasing software quality assurance, developing a real-time FISMA compliance tool, and offer guaranteed levels of protection for managed security services.
  • The top three general security concerns of Federal CISOs include: network compromise, patch management, and FISMA compliance.
  • The top three wireless security concerns of Federal CISOs include: unauthorized wireless access points, preventing unauthorized wireless deployments, and rogue WiFi devices.
  • 54 percent of agencies maintaining wireless networks have not implemented the four basic wireless security controls NIST recommends. This finding suggests that the absence of clear, mandatory controls has led to a FISMA disconnect on wireless security, with many Federal agencies failing to ensure that proper controls were in place before rolling out wireless networks.

To download the fully study, go to: www.intelligent.net/publicweb/about/cisoSurvey.htm