The failed exchange

This just in: another chapter in the heavy book about how the federal government is relegating cybersecurity to a little room under the stairs.

In case you haven’t heard, the proposed federal CISO Exchange has imploded, after U.S. Office of Management and Budget withdrew its support for the nascent program. It was a good idea done in a bad way: a public-private initiative focused on bringing together federal CISOs with private industry to improve the government’s near-failing information security report card (very good), and a for-profit forum led by a slick PR man, with memberships that would cost up to US$75,000 (very bad).

In all the squabbling over whether private-industry members would have been buying access to political heavyweights, there seems to be just one thing that everyone agrees upon: Federal CISOs need a place to formally come together. Worrying about a joint community for CISOs and private industry seems a little like putting the cart in front of the horse, when right now, federal CISOs don’t even have a formal setting where they can convene without private industry.

In fact, there are four good models for how this kind of group could be set up. They are the Chief Information Officers Council, the Chief Financial Officers Council, the Chief Human Capital Officers Council and the Chief Acquisition Officers Council. Each of these inter-agency groups provides their “Os” with a forum for talking about industry best practices. But while their membership parallels what the CISO Exchange’s would have been (minus the vendors), there are two big differences. The Councils are mandated by the federal government, and they are paid for by the federal government.

“They do what they call ‘pass the hat,'” explains Gary Winters, director of interagency management in the General Services Administration’s Office of Governmentwide Policy. “Each agency ends up contributing based on an algorithm that comes up from OMB [the Office of Management and Budget].” The one exception is the Chief Human Capital Officers Council, which is administered by the federal Office of Personnel and Management. The Councils are not expensive, Winters adds, because they have little overhead.

Still, it would take a lot more than a press conference or two to get a CISO Council off the ground. Unlike the CISO Exchange, each of the Councils was created by federal legislation. The CIO Council, for example, was created by Executive Order and later the E-Government Act of 2002, and the CFO Council was created by the Chief Financial Officers Act of 1990. Rep. Tom Davis (R.-Va.), who announced the formation of the CISO Exchange, does not seem poised to introduce such legislation. He has distanced himself from the failed Exchange to the extent that his office did not answer questions about its next possible iteration.

Meanwhile, the CIO Council has vowed to incorporate the task of improving cybersecurity grades into the work of its Best Practices Committee. “The CIO Council supported and still supports an approach to sharing IT security best practices with industry,” Dan Matthews, vice chair of the CIO Council and CIO of the Department of Transportation, said in a written statement to Alarmed. “The CIO Council Executive Steering Committee and the Best Practices Committee seek to restructure the CISO forum to ensure it is open and accessible to all.” As for whether CISOs deserve a council of their own, Matthews answered, “The Federal CIO Council believes leadership for CISO activities is best handled through the Federal CIO Council.”

Sound familiar? Maybe that’s because when the CIO Council folded its Security, Privacy and Critical Infrastructure Committee in late 2001, the government’s de-facto CIO Mark Forman indicated that security would be incorporated into the Council’s other committees.

A CIO-led forum is definitely better than nothing, but it still falls short of what we need to give federal information security the attention it deserves. Over the past few years, private-sectors CISOs have increasingly demanded–and gained–a measure of independence from the information technology function.

Federal CISOs need a room of their own, too, one that’s located somewhere at the top of the stairs.