Chief information security officers at federal agencies are more concerned about the quality of the software they buy than they were a year ago, and they are beginning to integrate security functions directly into their daily operations rather than relying on outside help, according to a study released today.
The study, based on a survey conducted by Intelligent Decisions Inc., found that these and other changes in CISO outlook reflect a growing maturity of the role of IT security within the government. After many years of struggling to implement a basic security framework, government agencies are turning to more complex issues.
"Theyve got the systems administration component of security down," said Roy Stephen, cyber security director at Intelligent Decisions, in Ashburn, Va. "Before, people thought you could just put a firewall at the edge of the network. [Now] you need intrusion detection mechanisms on each machine."
Last year, CISOs typically sought training and installation with the purchase of new technology, but increasingly they are showing confidence that their own systems administrators can handle deployment and management. In a similar vein, the survey revealed that security operations are being rolled back into network operation centers rather than being approached as separate functions.
The agencies were not individually identified because the CISOs requested anonymity in order to participate in the survey, a spokesperson for Intelligent Decisions said.
"People are not as interested in getting specialized cyber security help. Theyre more interested in having it built into their daily functions," Stephen said.
The survey also showed that federal CISOs are spending considerably more time on compliance with the 2002 Federal Information Security Management Act than they have in the past, which came as a surprise to the studys authors. CISOs spend an average of 3.75 hours a day on compliance activities, compared to 3.06 hours one year ago.
"We had hoped that FISMA would get easier and more automated as time went on," Stephen said. "The CISO is spending more time on it himself or herself. It just shows how big a concern it is."
Among the greatest concerns in government IT shops is the vulnerability of wireless networks and mobile devices, the survey found. CISOs remain worried about unauthorized wireless access points, unauthorized wireless deployments and rogue Wi-Fi devices.
"We know that every agency has wireless somewhere, whether they admit it or not," Stephan said.
Although wireless is prevalent throughout the government, fewer than half of the organizations surveyed had adopted security controls recommended by the National Institute of Standards and Technology. The recommendations include comprehensive policies, security tool configuration requirements, monitoring programs and policy training. Next month NIST is expected to float new wireless security guidelines, which will evolve into new mandates.