Friday, August 15, 2008

Is This You Too?

Is this you too?

To understand what it's like to be a federal chief information security officer, consider Larry Ruffin. As CISO at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Interior Department, his job could be described as having little to do with being a chief and not much more about security.

Although he regards Interior's current information security as "far from inadequate," Ruffin and Chief Information Officer Michael Howell don't have a way to check that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 department's network security is configured correctly or to monitor suspicious activity on a daily basis. Ruffin also has no authority and few resources to check on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 security of employees' equipment, such as laptops, workstations and servers, or to monitor specific applications. He has to rely on verbal and written promises from Interior's bureau managers that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are complying with security policies. To a limited extent, Ruffin says, he conducts on-site checks of systems, which in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 end offer little insight into cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 state of IT security departmentwide.

"How do you take control, when you don't [have authority over] cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 funds or maintain clear authority to make decisions? That stymies processes," Ruffin says. "We don't get clear approvals and don't feel empowered to make decisions that might have budgetary impacts. Those decisions can get made, but rarely."

Ruffin isn't alone. His experience is common to CISOs across government. Security budgets are paper thin, and CISOs rarely have cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 authority to enforce security policies down deep into individual department offices. Their job is one of frustration; cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y're aware of what's required to protect agency networks, but unable to get cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 job done. It's no wonder that more security analysts are warning of serious security breaches, if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y have not occurred already...

The CISO job today is more of a policy- and compliance-reporting position than one that tests and monitors networks. And cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 job has limited power to oversee a department's systems. As a result, says Mike Jacobs, former information assurance director at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 National Security Agency and now an independent consultant, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 federal government is at its "weakest state ever" in terms of homeland security. "I'm struck with how little power and capability to influence cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 CISOs have," he says. "Most are left to cajole those who own cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IT funds to do what needs to be done from a security standpoint. Few, if any, have direct responsibility."


This excerpt is from Top IT cops say lack of authority, resources undermine security by Jill R. Aitoro of GovExec.com.

No comments: