Chief information security officers at federal agencies are more concerned about the quality of the software they buy than they were a year ago, and they are beginning to integrate security functions directly into their daily operations rather than rely on outside help, according to a recent study.
The study, based on a survey conducted by Intelligent Decisions Inc., found that these and other changes in CISOs outlooks reflect a growing maturity of the role of IT security within the government. After many years of struggling to implement a basic security framework, government agencies are turning to more complex issues.
"Theyve got the systems administration component of security down," said Roy Stephen, cyber-security director at Intelligent Decisions, in Ashburn, Va. "Before, people thought you could just put a firewall at the edge of the network. [Now] you need intrusion detection mechanisms on each machine."
Last year, CISOs typically sought training and installation with the purchase of new technology, but, increasingly, they are showing confidence that their own systems administrators can handle deployment and management. In a similar vein, the survey revealed that security operations are being rolled back into network operation centers rather than being approached as separate functions.
The agencies were not individually identified because the CISOs requested anonymity in order to participate in the survey, a spokesperson for Intelligent Decisions said.
The survey also showed that federal CISOs are spending considerably more time on compliance with the Federal Information Security Management Act of 2002 than they have in the past, which came as a surprise to the studys authors. CISOs spend an average of 3.75 hours per day on compliance activities, compared with 3.06 hours per day one year ago.
"We had hoped that FISMA would get easier and more automated as time went on," Stephen said. "The CISO is spending more time on it himself or herself. It just shows how big a concern it is."
Among the greatest concerns in government IT shops is the vulnerability of wireless networks and mobile devices, the survey found. CISOs remain worried about unauthorized wireless access points, unauthorized wireless deployments and rogue Wi-Fi devices.
"We know that every agency has wireless somewhere, whether they admit it or not," Stephen said.
Although wireless is prevalent throughout the government, fewer than half of the organizations surveyed had adopted security controls recommended by the NIST (National Institute of Standards and Technology). The recommendations include comprehensive policies, security tool configuration requirements, monitoring programs and policy training. Next month NIST is expected to float new wireless security guidelines, which will evolve into mandates for the federal agencies.