CISOs seek more support for cybersecurity programs

Federal chief information security officers anticipate continued challenges in fighting cyber threats unless agencies direct additional funding and focus to security, according to a report released Thursday.

The survey -- conducted jointly by (ISC)², a security education consortium; technology solutions provider Cisco Systems; and security consultant Garcia Strategies -- found that CISOs' top wish was for more money for cybersecurity initiatives.

Only half the CISOs surveyed said they had the ability to significantly affect their agency's security as threats resulting from such factors as insecure software and poorly trained users continue to increase.

Only 10 percent said federal procurement policies helped them achieve their agencies' missions, and an even smaller percentage said Congress understood their challenges well enough to provide adequate support.

Survey respondents said stronger enforcement of security mandates should be an important priority for White House Cybersecurity Coordinator Howard Schmidt. They said a number of tools and standards were useful, including the Consensus Audit Guidelines, which define the most critical security controls needed to protect federal systems.

Eighty-five percent of respondents said continuous monitoring of threats was the best way to evaluate security. But only 3 percent said the Federal Information Security Management Act provided useful metrics for such monitoring.

Alan Paller, director of research at the SANS Institute, a computer security training firm, said that's a problem, because agencies spend $500 million annually on reports required under FISMA.

"That money is enough to enable automation and skills upgrading to do the advanced monitoring needed for protection," Paller said. "As long as they keep wasting money on the out-of-date reports, though, they won't be able to invest where the money is needed most."