Detaching IT security officers would harm cybersecurity, CIOs warn

The chief information officers of three large federal agencies are warning that legislative proposals intended to strengthen the role of chief information security officers by removing them from the CIO's office would undermine cybersecurity on federal networks.

Many different cybersecurity bills have circulated in the House and Senate during the past year, as Congress and the White House have grown increasingly concerned about actual and potential attacks on both federal and private sector systems. Some proposals have called for the CIO and CISO to be separated in an agency's organizational structure, rather than work in the same office as they typically do now. Supporters of such a rearrangement argue CISOs need autonomy to enforce information security management.

"One of the things I feel strongly about that has been in the legislation that I disagree with is talk about the CISO being completely independent of the CIO," Justice Department CIO Vance Hitch said at a meeting with members of an advisory board that provides recommendations on federal cybersecurity and civil liberties to Congress and to the National Institute of Standards and Technology, Commerce Department, and Office of Management and Budget.

Hitch, General Services Administration CIO Casey Coleman and Agriculture Department CIO Chris Smith on Tuesday shared their perspectives on what additional resources, policies and laws the federal government needs to bolster cybersecurity. The Information Security and Privacy Advisory Board also invited the public to participate via a new webcasting tool called eComment , which provides an online form through which Internet users can submit feedback for the board's review.

Almost simultaneously, Hitch's colleagues panned the idea of detaching their CISOs -- a concept supporters say would ensure that CIOs don't merely pay lip service to the importance of security until it comes time to request funds to pay for it in the annual budget.

"Bad move," said Coleman. Smith: "It'd be a disaster."

Smith added: "If you put a CISO outside my organization, I've now got to manage another party of stakeholders' interests for the Department of Agriculture, when it's already fragmented 15 ways till Sunday to even get IT done. It would be disastrous. It would just add a level of bureaucracy that would cause greater dysfunction. It would not be efficient or effective."

Coleman said if the chief information security officer were to be removed from the CIO's office, then CIOs still would need an information security-like official in their office so that they can be cost-effective in balancing risk and management decisions.

Some board members, however, said having CISOs do external auditing might be more practical than expanding the authority of outside investigators to seek to improve information security compliance.

"You would have to empower the IGs to be more aggressive. And you might want to think about whether that's a direction in which you want to drive the system knowing what you know about the level of expertise in cyber matters that your IG does or doesn't have," said Fred Schneider, a computer science professor at Cornell University.

But a Social Security Administration inspector general on the board said she depends on her agency's CISO, who resides in the CIO's office, to make auditing decisions. Gale Stone, SSA deputy assistant IG for audit, said when she had a chance to comment on the proposed legislation, she recommended that the independent chief information security officer language be stricken.

The inspector general's office "had some influence in the direction that SSA took in establishing its CIO's office. We did see the CISO as being critical there because they were doing that audit function across the organization," Stone said. "They were there to help with the monitoring and enforcement. And because we were working closely with them, we had a much better understanding of what was going on across the organization."

Board chairman Dan Chenok, a senior fellow in the IBM Center for the Business of Government, said the most recent legislation he has seen leaves "a little bit of wiggle room" for an agency to decide on the location of the CISO. Chenok was a member of the 2008 transition team that helped then-President-elect Obama formulate his incoming administration's IT policies.

A bipartisan cybersecurity bill, S. 3480 :, introduced in June and co-sponsored by Sens. Joe Lieberman, I-Conn., and Susan Collins, R-Maine, would demand that the department leader delegate to a senior agency officer, designated as a CISO, "the authority and budget necessary to ensure and enforce compliance with" federal security requirements.

The CISO would hold a lesser position under federal information security provisions the House passed in May as part of the Defense Department spending bill. That measure, H.R. 5136 , would mandate that the department leader delegate those responsibilities to an agency official, designated as the CISO, "under the authority of the agency chief information officer."