[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ISN] Top IT cops say lack of authority, resources undermine security


By Jill R. Aitoro  
August 11, 2008  

To understand what it's like to be a federal chief information security 
officer, consider Larry Ruffin. As CISO at the Interior Department, his 
job could be described as having little to do with being a chief and not 
much more about security.

Although he regards Interior's current information security as "far from 
inadequate," Ruffin and Chief Information Officer Michael Howell don't 
have a way to check that the department's network security is configured 
correctly or to monitor suspicious activity on a daily basis. Ruffin 
also has no authority and few resources to check on the security of 
employees' equipment, such as laptops, workstations and servers, or to 
monitor specific applications. He has to rely on verbal and written 
promises from Interior's bureau managers that they are complying with 
security policies. To a limited extent, Ruffin says, he conducts on-site 
checks of systems, which in the end offer little insight into the state 
of IT security departmentwide.

"How do you take control, when you don't [have authority over] the funds 
or maintain clear authority to make decisions? That stymies processes," 
Ruffin says. "We don't get clear approvals and don't feel empowered to 
make decisions that might have budgetary impacts. Those decisions can 
get made, but rarely."

Ruffin isn't alone. His experience is common to CISOs across government. 
Security budgets are paper thin, and CISOs rarely have the authority to 
enforce security policies down deep into individual department offices. 
Their job is one of frustration; they're aware of what's required to 
protect agency networks, but unable to get the job done. It's no wonder 
that more security analysts are warning of serious security breaches, if 
they have not occurred already.


Visit Defcon Pics - Defcon Memory Repository