Industry group draws scrutiny

CISO Exchange

Government officials last week scaled back their involvement in a newly formed public/private council of security officers amid controversy about the appearance that a select group of vendors could have undue influence on public policy.

O'Keeffe and Co., an Alexandria, Va.-based public relations and marketing agency, spearheaded development of the Chief Information Security Officers (CISO) Exchange as a forum for discussions between government officials and industry executives. Full industry membership costs $75,000.

Backers have used the participation of Rep. Tom Davis (R-Va.), chairman of the House Government Reform Committee, and the CIO Council's sponsorship as selling points in materials aimed at soliciting industry members.

"It seems as if all you're doing is selling access to Congress," said Mark Amtower, a partner at Amtower and Co.

Davis' association with the organization changed late last week when his spokesman, David Marin, announced that the congressman would withdraw from the exchange in any official capacity. A photograph of Davis, which had been in the advisory board section of the CISO Exchange Web site, was taken down April 7.

CIO Council officials are also "reviewing the proposed structure of that forum to ensure that it is accessible and is consistent with open access to federal resources," said Dan Matthews, the council's vice chairman.

While observers praise the concept of a CISO Exchange in the hopes of raising the visibility of cyber-security issues, the controversy swirling around the change has instead raised questions about similar organizations and the appropriateness of holding events for government officials that industry representatives pay to attend. Scores of companies organize a wide variety of events, including 101Communications' FCW Media Group, which owns Federal Computer Week.

Like its competitors, FCW Media Group hosts a series of events, such as the Government CIO Summit. Much of the controversy around the CISO Exchange, however, stems from the perception of an inappropriate link between the group's paying members and government policy-makers.

Steve O'Keeffe, executive director of the CISO Exchange and the principal of O'Keeffe and Co., said the group's members would publish an annual report on federal information security priorities and operational issues and would host an annual awards dinner on the evening that Davis announces the latest federal computer security report card grades.

Industry observers say the issue is the annual report on federal priorities. Given the involvement of senior members of Davis' staff and the CIO Council, the group's report could be perceived as representing government policy.

CISO Exchange publicity had listed Melissa Wojciak, staff director for the House Government Reform Committee, and Vance Hitch, the Justice Department's CIO and the CIO Council's privacy and security liaison, as co-chairing the group's advisory board. The board will select the annual report's topics. To "contribute in the development" of that report, industry participants were invited to pay $25,000 or $75,000, according to CISO Exchange materials. Some industry sources have worried that with Wojciak, Hitch and federal CISOs' names attached, the report would carry official weight.

Marin said Wojciak will continue to informally participate in the exchange, but Davis "wants to make absolutely sure that no one infers that the committee's name or resources are being used to support a commercial endeavor or that the committee's role will imply that any work product produced will somehow have the committee's imprimatur on it. Nor does he want any would-be sponsor to believe that sponsoring the exchange means they will have an inside track to him or committee staff."

"If in fact you cannot contribute [to the report] or participate without being a sponsor, then that would be a cause for concern," said Amit Yoran, formerly director of the Homeland Security Department's Cyber Security Division. "It sounds like it's unclear whether or not that's the case."

The exchange "represents a new model in public/private interaction and collaboration, and we are very proud of the construct," O'Keeffe said. When asked about the necessity of paying to be able to contribute to the report, he said, "I have not made it an exclusive situation."

The Exchange’s structure consists of a two advisory board co-chairs, six federal executives – mostly CISOs – and six system integrator company representatives, who must each pay $75,000 apiece. The board selectes the topics of annual report on federal information security priorities.

Industry officials can pay $25,000 to join at a lesser level and “contribute in [the] development” of the annual report, but not sit on the board. In the third and least expensive level of industry participation is at $5,000, for which industry officials can participate in a lottery to attend quarterly CISO Exchange events and but cannot play a role in the report’s development.

The money will be used to pay for expenses of the exchange’s quarterly events and preparation of the annual report, O’Keeffe said. His company will charge by the hour for CISO Exchange support.

Industry participants at the $5,000 level will also be able to contribute to the report, he said.

The group's publicity has also included a quote from Hitch stating that "agency CIOs will require their CISOs to attend the CISO Exchange full program meetings." That quote was wrongly phrased, O'Keeffe said. "This quote should have read 'ask' their CISOs to attend," he said. Hitch could not be reached for comment.

Controversy surrounding the program has been around since Davis announced its creation in February.

"I would have been happier if this had come about through a nonprofit that was open to everyone," said Thomas Hewitt, a member of the board of directors at Sigaba, an information security management company. "I absolutely applaud the founders for creating the CISO Exchange." However, "access to government employees should be available to all people, not just those with a large budget."

"If this was a group driven by industry and run by industry," there would be no problem with the arrangement, one industry source said. "But when the chairman is the staff director of the full Government Reform Committee, it gives it a different level of credibility and attention."

Paul Kurtz, executive director of the Cyber Security Industry Alliance, said he's in a wait-and-see mode. "I'd like to learn more from Congressman Davis' staff as to what their roles are going to be," he said. Efforts to raise the profile of information security should be welcomed, "but the devil's in the details," he added.

Don Upson, formerly Virginia's secretary of technology, who helped conceptualize the CISO Exchange, said industry officials who feel shut out by the steep prices of the CISO Exchange are always free to contact participating government officials directly.

Money collected through the exchange is unlikely to yield a profit, he added. Upson said he's involved in the exchange "because it's the right thing to do, because I'm passionate about what this technology and management can do, and because I have been for 27 years."

O'Keefe defended the CISO Exchange as being no different than other private sector events featuring government speakers.