SlideShare ist ein Scribd-Unternehmen logo

CISO Survey Report 2010

S
Scientia Groups

2010 State of Cybersecurity from the Federal CISO’s Perspective – An (ISC)² Report

Technologie
1 von 12
The 2010 State of Cybersecurity from the Federal CISO’s Perspective — An (ISC)2 Report Garcia StrateGieS, LLc
The 2010 State of Cybersecurity from the Federal CISO’s Perspective – An (ISC)2® Report EXECUTIVE SUMMARY In May 2009, President Barack Obama, in the first-ever presidential speech dedicated entirely to cybersecurity, proclaimed that the nation’s digital infrastructure should be considered a “strategic national asset.” Those weighty words affirmed what specialists in the Internet security field have long recognized and built careers around. But the fact that those words were uttered by the President of the United States in a nationally televised address ushered in a new era of national awareness – and perhaps government activism — about the ongoing and pervasive vulnerabilities and threats that government, business, academic and personal users face in our online world every day. The federal government’s cadre of chief information security officers (CISOs) – no strangers to the ebb and flow of political tides that affect their mission – currently view this emergent national awareness with an ambivalent mix of hope and wonder. They see greater awareness but still insufficient resources to protect “There is more attention to and our networks; better tools and training but increasing threats and awareness of the magnitude of attacks on our infrastructures; and more security initiatives within and the problem; attention leads to across the agencies, but organizational structures not yet equipped to resources and action.” get ahead of our adversaries and our own operational flaws. We are seeing measurable progress; indeed, trend lines are favorable, as suggested in the survey findings of the second annual “State of Cybersecurity from the Federal CISO’s Perspective – An (ISC)2 Report”. A joint effort between (ISC)2, Cisco and Garcia Strategies, this report is intended as a tool to track developments in our ability to assess and protect the security of those strategic national assets entrusted to our public servants. On the front lines of this ongoing battle are the nation’s federal CISOs, and we present these findings to reflect their views for the benefit of their peers, policymakers and the public. KEY SURVEY FINDINGS If there is one theme that characterizes the results of this year’s survey, we turn to the well-known aphorism by Socrates - “know thyself” - which suggests that in order for us to truly understand the world, we must first understand ourselves. In cybersecurity, this means that awareness of our challenges and opportunities is the first step toward being able to do something about it - to change the status quo. 2
Garcia StrateGieS, LLc This survey organizes CISOs’ perspectives into four categories: security posture, workforce effectiveness, resources and tools and policy and emerging initiatives. First, what federal CISOs see in the nation’s security posture in 2010 is not significantly different from that reported in 2009. Half believe we’re better off than last year, while the other half see that we’re worse off or no better in our ability to protect our networks. Half of the CISOs in 2010, fewer than in 2009, report that they feel they have a significant ability to impact the security posture of their agency. Yet they continue to see vulnerabilities and incidents. They identify software, poorly trained users and/or insider threats as continuing problems that they rate as even more severe than external threats such as nation states, Website vulnerabilities and spear phishing. Looking at security through the lens of workforce effectiveness, CISOs continue to show overall satisfaction with their jobs, yet their job requirements have evolved beyond the technical, with half of the respondents being asked to deliver more managerial, policy and political responsibilities in their roles. So they rely heavily on well-trained staff with highly valued professional certifications and are turning to Scholarship for Service students and contractor conversions for many of their hiring needs. Outside of their own control, CISOs must rely on a variety of internal and external tools and resources to get their jobs done – whether it’s technology, Congressional funding, bureaucratic operations or cross-agency protective initiatives. Among these areas, CISOs’ satisfaction is mixed. They continue to deploy intrusion detection and intrusion prevention technologies and, compared to 2009, have an improved view of the cross-agency “Einstein” IDS/IPS program managed by the Department of Homeland Security’s U.S.-CERT. And while many are taking advantage of the Information Systems Security Line of Business (ISS-LOB), only 10 percent are satisfied with their own agency HR and procurement operations to facilitate their mission execution, and even less have any confidence in the ability of Congress to understand their mission and provide adequate resources. These results square with CISOs’ perspectives about policy and emerging initiatives, in which more than half of the CISOs would advise the new White House Cybersecurity Coordinator, Professor Howard A. Schmidt, CISSP, CSSLP, Fellow of (ISC)2, to place increased agency funding and enforcement of security mandates at the top of his priority list. This suggests the need for a strong and proactive educational outreach strategy with Congress. As for emerging initiatives, cloud computing 3
may be a part of a broad government initiative, but almost ¾ of respondents admit they’re not using the cloud because of the range of security concerns they need to understand before deploying their data and applications in the cloud. Those same concerns, however, have not stopped adoption of Web 2.0 social networking applications to enhance the ubiquity and usability of government services. Seventy-eight percent of CISOs who use Web 2.0 services say they have enforced security policies in place, suggesting considerable alignment of new services with security policies. RECOMMENDATIONS These survey results suggest that, from a broad perspective, the issue of cybersecurity has matured in the minds of the American public and the federal stewards of our information infrastructure, such that we are coming to “know thyself,” with the awareness of our challenges as a starting point for improvement. From the results of this survey and the trends that emerged from last year’s report and other sources, we can advance a few key recommendations that will build on the progress CISOs have made over the last several years. First, if our digital infrastructure is indeed a strategic national asset, then it is incumbent upon Congress to give CISOs sufficient funding to protect government networks. Digital pennies can save us analog dollars. Then, CISOs must use the appropriate tools for measuring risk and security and be held accountable for meeting their agency’s mission requirements. They cannot be held accountable for poorly defined and unfunded mandates. Second, CISOs need to be given the flexibility and creativity it takes to be competitive with the private sector in recruiting qualified and motivated staff. While CISOs clearly see certifications as an important measure of qualification, other factors like the ability to offer strong in-house training and hands-on experience must factor into hiring decisions. Third, CISOs and the government officials who support them need to do a better job of educating the Congress about the business case for how better security will improve government services, reduce costs for software maintenance and incident response and protect critical, sensitive data. If they succeed, the additional attention they receive from lawmakers may raise their visibility within their organizations and result in better operational support from functions such as human resources and procurement. Finally, consistent with one of the recommendations we made in 2009, there needs to be a continuing and stronger emphasis on protection and management of data, distinct from focusing too heavily on threats and attacks. As practitioners, CISOs report that they can maintain strong security in a way that protects privacy without infringing upon it, that we can have an open government policy of transparency while keeping security policies in place to protect sensitive information and that outsourcing services to the cloud does not mean outsourcing truly critical data. Decisions on security policy and implementation need to be considered through this prism of data management imperatives. 4
Garcia StrateGieS, LLc SURVEY DETAILS DESPITE INCREASING ATTENTION TO TOOLS AND METRICS,THREATS STILL LOOM Federal CISOs are seeing greater awareness of their Most Useful Metric Tools Most Useful Metric Tools missions but not enough improvement in the security 11% CAG - 31% posture of the federal domain. Almost 50 percent 3% 31% SCAP - 27.5% of respondents say they have significant ability NIST 800-53 - 27.5% 27.5% FISMA - 3% to impact the security of their organization, but the Other - 11% same number say the security problem is either worse 27.5% or the same as it was one year ago. But CISOs believe we are potentially poised to see much better gains in our security posture. As one CISO observed, “There is more attention to and awareness of the magnitude of the problem; attention leads to resources and action.” “Metrics are unclear because of To build on their ability to improve their agency’s security posture, our inability to link compliance CISOs point to several useful tools in their arsenal. The Consensus Audit with reduction of impact.” Guidelines (CAG), Security Content Automation Protocol (SCAP) and the NIST 800-53 guidelines all receive high marks for being most useful. In addition, they almost universally (94 percent) believe that the government should include specific, mandatory security requirements in every major IT procurement. In this environment, 85 percent of these practitioners reported that continuous monitoring is the most useful metric for measuring the level of security. However, the ongoing evolution of threats makes measurement of our progress difficult. As one CISO observed, “Metrics are unclear because of our inability to link compliance with reduction of impact.” Asked to rank the number one threat in terms of severity, 27 percent identified exploitable software vulnerabilities, followed by 24 percent for insiders. Interestingly, however, 43 percent of CISOs blame insecure software for less than a quarter of detected security breaches. Only one in 15 Most SevereThreats Most Severe Threats respondents was able to claim that 75-100 percent 6% Exploitable Software Vulnerabilities - 27% of those breaches were due to insecure software. This 12% 27% Insiders - 24% suggests a possible anomaly based on the complexity Foreign Nation State - 21% 9% of managing multi-layered network security – that widely Website Vulnerability -9% 24% Poorly Trained Users -12% held assumptions about software vulnerabilities aren’t 21% Spear Phishing - 6% easily linked to attributable security incidents. 5
THE NEED FOR FLEXIBILITY IN MANAGING OUR MOST IMPORTANT ASSET Many organizations today, whether government or private sector, have adopted the mantra, “people are our most important asset.” It is no different among federal CISOs, whether they’re concerned with their own job satisfaction or the quality of the people they need to manage their infrastructure. When asked about their level of job satisfaction, 63 percent of the CISOs confirmed they were either satisfied or very satisfied with their jobs, which is attributable in part to their strong belief that they have a significant impact on the security of their organizations. A motivated workforce is often a successful one. Solution or Problem? CISOs See Their Duties Becoming More: Still, half of the CISOs see their jobs taking on more managerial, policy and Technical 25.8% political elements on top of their existing technical duties, and they know they Managerial 51.6% can’t do it all alone. They, accordingly, Political-/ 54.8% lean significantly on a well-trained and Policy-Oriented experienced staff. Sixty-eight percent 0 20 40 60 80 100 of respondents say they have adequate Technical Managerial Political- / Policy-Oriented training resources, but equally important to them are professional certifications, which more than 70 percent ranked as high or very high in importance when hiring or promoting employees. A similar number believe that security certifications should be mandatory for security professionals across the government. This tracks closely with 2009 data, which showed 75 percent of CISOs advocating mandatory certifications across the government. The most prevalent certification held among the CISOs responding is the CISSP® (62 percent), followed by CISM (25 percent) and NSA-IAM (13 percent). Looking ahead to staff augmentation, CISOs estimate that contractor conversions and the private sector will each make up 30 percent of their hires, with a similar number from internal sources. In terms of tapping the talent of our next generation’s workforce in the Scholarship for Service (SFS) program, 44 percent of the CISOs expect to hire one to five SFS students, CISOs SeeTheir Duties Becoming More: 12 percent will hire more than six, while another 44 percent will not take advantage of this resource. OUTSIDE RESOURCES: PART OF THE SOLUTION OR PART OF THE PROBLEM? 54.8% This is likely the question many CISOs regularly ask about the outside influences that can help or hurt execution of their mission – whether it’s their internal HR and procurement department, security lines of business which allow agencies to outsource security expertise to other agencies, the DHS Einstein and TIC program for monitoring network traffic in and out of the .gov domain or mission authorization and appropriations from Congress. 6
Garcia StrateGieS, LLc Solution oror Problem? Solution Problem? Looking at the numbers, CISOs are showing more confidence Einstein and TIC 27% 54% 19% in the Einstein program, which was characterized in last year’s report Procurement and HR 40% 50% 10% as frustrating and too externally Congress 56% 37% 7% focused. In 2010, almost ¾ of the respondents report they are 0 20 40 60 80 100 satisfied to somewhat satisfied Not Satisfied Somewhat Satisfied Very Satisfied with this cross-agency intrusion detection/prevention program, which may be due in part by the fact that the same number are complementing the effort with the use of IDS and IPS on their networks, as well as automated ID management and many other sophisticated security tools. Relying on others to support their efforts, CISOs are outsourcing select security expertise to other agencies through the ISS-LOB, with 62 percent participating in the program and 10 percent serving as lines of business for other agencies.† That level of CISO confidence, however, is not so strong among their own agency human resources and procurement functions, which they depend on for timely and high-quality hiring and technology acquisitions, with 40 percent expressing no satisfaction with those performance functions. Similarly, when it comes time to “show me the money,” 57 percent of CISOs are not confident that Congress understands their mission well enough to provide sufficient funding – either for hiring or technology. There may be some promising signs, however, in pending legislation that recognizes these recruitment challenges by requiring an annual report on hiring effectiveness. HEY, YOU, GET ON TO MY CLOUD How the Cloud Enables Security How the Cloud Enables Security The continual march of technology brings a stampede 11.1% ID-RBAC - 40.7% of vulnerabilities. CISOs must constantly assess how new Architecture improvements - 37% 11.1% technologies and capabilities can enable or enhance their 40.7% Improved failover and service-level performance - 11.1% agency missions without introducing new, unacceptable Other - 11.1% 37% risks. Looking at some of these emerging technologies facing CISOs, cloud computing and Web 2.0 services † The ISS-LOB designates agencies as “shared service centers” for lines of business in FISMA reporting; certification and accreditation; IT security awareness training; and Trusted Internet Connections Access Providers (TICAPs). 7
Biggest Security Concerns with the Cloud Biggest Security Concerns with the Cloud show business promise but security peril. 72 percent 3.6% of CISOs in the survey report that they do not yet Replicating security policy - 44.8% 10.3% use cloud computing because of the high levels of Data Loss prevention - 20.7% 10.3% 44.8% Adapt Einstein/TIC - 10.3% uncertainty around being able to replicate IT security 10.3% COOP Compliance -10.3% policy in the cloud (45 percent) and data loss prevention HSPD 12 -10.3% 20.7% Other - 3.6% (21 percent). Those who see promise in cloud computing, conversely, also see potential for improving security, particularly through ID-based network solutions that employ role-based access controls, or RBAC (41 percent), as well as design improvements that enable the cloud with a strategic architecture (37 percent). All CISOs reporting that they do use cloud computing services for mission delivery say they have enforced security policies in place, which suggests there could be some useful templates in place as reference for other CISOs wanting to explore their options. While experience continues to show that we need to be circumspect in the use of Web 2.0, social networking and P2P technologies, many CISOs see less complication in the security issues surrounding them, as 62 percent are using those services as part of their mission delivery system. Almost 80 percent of those using those services claim to have enforced security policies in place. This suggests a general recognition of the power of those tools in implementing the Obama Administration’s Open Government initiative as long as there is control over distributed usage among employees. The Marine Corps, for example, announced on March 29, 2010, that it is lifting the ban on the use of social networking to allow those out in the field to maintain communications with home. In balancing the sometimes competing demands between information transparency and protection and information security and privacy, responding CISOs do not feel as conflicted as the policy debates would suggest. Three-quarters of CISOs report that they have data security White House CybersecurityCoordinator for a Day White House Cybersecurity Coordinator for a Day policies in place to balance Recommended Highest Priorities Recommended Highest Priorities the needs of transparency and 3% 7% Improve agency funding for and enforcement of security mandates - 21% 21% TIC & Einstein deployment and implementation - 21% information protection. About 9% Expand cyber cordination to states and private sector - 18% the same number do not 9% Public awareness -12% believe that privacy protections 12% Develop a national cyber incident response capability - 9% 21% Develop a national cyber training institute - 9% undermine the needs of security 18% International collaboration and deterrence strategy - 3% or that security monitoring Other - 7 % technologies necessarily 8
Garcia StrateGieS, LLc encroach on privacy rights. This perhaps goes to the heart of reconciling what we are trying to protect versus what we are trying to stop. Finally, CISOs were asked to be the White House Cybersecurity Coordinator for a day and make recommendations for what should be the highest priorities for that office. Not surprisingly, improved agency funding ranks highest, followed by effective TIC/Einstein deployment to protect agency networks. Almost as many – 18 percent – acknowledge the importance of expanding cybersecurity coordination to states and the private sector. CONCLUSION In our vastly interconnected digital world, national understanding of “cybersecurity” as an issue and a discipline has evolved from ignorance to discovery, to what is now sober yet somewhat disorganized attention. CISOs, policymakers, corporate America and the general public are each at different stages of “knowing thyself” – knowing their risks and responsibilities in the digital infrastructure. Our challenge is to coalesce around a shared understanding and a unity of purpose toward a security regimen that in the end becomes habit. The good news from the survey is that CISOs know what their challenges are, and most have a firm understanding of what needs to be done to overcome them. They know they need to build a workforce with a diversity of talents, using a variety of technological tools. They’re also aware that their biggest threat continues to come from internal vulnerabilities. Moreover, knowing that their success depends on a network of support mechanisms within and outside their agencies, such as security lines of business or US-CERT’s Einstein program, many federal CISOs express a general sense of cautious optimism. But they know we’re not there yet. Less auspicious in the findings is the fact that we’ve not yet organized that awareness into an effective culture of cybersecurity across the government’s political and operational communities. CISOs understand they’re working in an environment where all of the moving parts, such as agency business operations, Congressional buy-in and funding, evolving technologies and standards of practice, need to be moving together in the same direction.Yet they point out a continuing lack of unified momentum. Observed from above, these moving parts might be seen as taking two steps forward, one step back and one to the side before righting themselves forward again. In the short term, CISOs will look to the power behind the White House Cybersecurity Coordinator’s office to drive the changes that will ultimately show improvement. Their hope is this: first, make the case to the Congress; second, secure the funding stream; and third, hold CISOs accountable to clear and measurable standards of security improvement. It will be an honest deal and good governance and would show the business community and the general public that the government can lead by example. 9
BACKGROUND DATA In your staffing plans, If your agency is using Web 2.0/social what percentage networking services, do you have enforced Percentagehires willWill Come From of your of Hires come from: security policies in place? Web 2.0 Social Networking Security Policies in Place Scholarship for Services Program - 20.1% Yes - 78% 20.1% 22% 28.9% Internal - 29.8% No - 22% Other agencies - 21.3% 29.8% Contractor conversions - 30.2% 30.2% Private Sector - 28.9% 78% 21.3% Is your agency taking advantage of the What value do you place Security Lines of Business provided Taking Advantage of The Security when Business on professional certificationsLines ofhiring by other agencies? Value of Professional Certifications or promoting employees? Provided by Other Agencies 9.7% Yes - 61.3% Value 1 - 6.5% 6.5% No - 29.0% 32.3% Value 2 - 9.7% My agency provides a service - 9.7% Value 3 - 12.9% 29% 9.7% Value 4 - 38.7% 61.3% 38.7% Value 5 - 32.3% 12.9% (NOTE: 5 is highly valuable) For the President’s Open Government Directive, does your agency have data security policies in place to reconcile the needs for information transparency President’s Open Government Directive Security Policies and information protection? For Information Transparency and Information Protection Yes - 74.1% 25.9% No - 25.9% 74.1% 10
Garcia StrateGieS, LLc What security technologies do you believe will raise the bar for Raising the Bar for System and Network Security: system and network security? CISO’s Technology Choices Network Monitoring & Intelligence - 83.9% Improved IDS/IPS - 74.2% Automated ID Management - 71% Web Security Apps - 67.7% Policy Mgt. & Audit - 51.6% Other - 12.9% 0 20 40 60 80 100 Number of Respondents METHODOLOGIES AND ACKNOWLEDGEMENTS This second annual federal CISO survey was made available to a cross-section of 85 federal agency and bureau-level chief information security officers (CISOs) and information security officers (ISOs) during the 1st quarter of 2010. Thirty-six of those reached participated by using an online survey tool that gathered anonymous responses to 31 questions. The survey request went out to personnel from defense, civilian, law enforcement and intelligence agencies. We greatly appreciate the cooperation of these front-line CISOs in advancing the state of knowledge about our federal information and information systems security. Greg Garcia, President, Garcia Strategies, LLC W. Hord Tipton, CISSP-ISSEP, CAP, CISA, Executive Director of (ISC)2 11
SPONSORS (ISC)²® is the not-for-profit global leader in educating and certifying information security professionals throughout their careers. With over 68,000 certified members in more than 135 countries, (ISC)² issues the Certified Information Systems Security Professional (CISSP®) and related concentrations, Certified Secure Software Lifecycle Professional (CSSLP®), Certification and Accreditation Professional (CAP®), and Systems Security Certified Practitioner (SSCP®) credentials to those meeting necessary competency requirements. Learn more at www.isc2.org. Cisco is the worldwide leader in networking and IT infrastructure that transforms how governments connect, communicate and collaborate with secure voice, video and data to constituents, end-users and other governments. Cisco¹s Cybersecurity solutions enable government employees to access information securely from any client across any network. Cisco Collaboration,Virtualization,Video and Secure Borderless Network technologies enable governments to meet their mission. Learn more at www.cisco.com/go/federal. Garcia StrateGieS, LLc Garcia Strategies, LLC provides strategic business development and government affairs advisory services for companies contributing to the national cybersecurity and emergency interoperable communications missions. The firm’s founder, Gregory T. Garcia, was the nation’s first Presidentially appointed Assistant Secretary for Cybersecurity and Communications with the U.S. Department of Homeland Security from 2006-2008. SECURITY TRANSCENDS TECHNOLOGY®

Empfohlen

Whitepaper | Cyber resilience in the age of digital transformation
Whitepaper | Cyber resilience in the age of digital transformationWhitepaper | Cyber resilience in the age of digital transformation
Whitepaper | Cyber resilience in the age of digital transformationNexon Asia Pacific
 
AI-Cyber-Security-White-Papers-06-15-LR
AI-Cyber-Security-White-Papers-06-15-LRAI-Cyber-Security-White-Papers-06-15-LR
AI-Cyber-Security-White-Papers-06-15-LRBill Besse
 
DBryant-Cybersecurity Challenge
DBryant-Cybersecurity ChallengeDBryant-Cybersecurity Challenge
DBryant-Cybersecurity Challengemsdee3362
 
Tripwire_UK_Executive_Cybersecurity_Literacy_Survey
Tripwire_UK_Executive_Cybersecurity_Literacy_SurveyTripwire_UK_Executive_Cybersecurity_Literacy_Survey
Tripwire_UK_Executive_Cybersecurity_Literacy_SurveyMelloney Jewell
 
Ijnsa050201
Ijnsa050201Ijnsa050201
Ijnsa050201IJNSA Journal
 
OverseeCyberSecurityAsHackersSeekToInfiltrate
OverseeCyberSecurityAsHackersSeekToInfiltrateOverseeCyberSecurityAsHackersSeekToInfiltrate
OverseeCyberSecurityAsHackersSeekToInfiltrateKashif Ali
 
vision 2020 testimony
vision 2020 testimonyvision 2020 testimony
vision 2020 testimonyRob Arnold
 
Contemporary Cyber Security Social Engineering Solutions, Measures, Policies,...
Contemporary Cyber Security Social Engineering Solutions, Measures, Policies,...Contemporary Cyber Security Social Engineering Solutions, Measures, Policies,...
Contemporary Cyber Security Social Engineering Solutions, Measures, Policies,...CSCJournals
 

Empfohlen

Whitepaper | Cyber resilience in the age of digital transformation
Whitepaper | Cyber resilience in the age of digital transformationWhitepaper | Cyber resilience in the age of digital transformation
Whitepaper | Cyber resilience in the age of digital transformationNexon Asia Pacific
 
AI-Cyber-Security-White-Papers-06-15-LR
AI-Cyber-Security-White-Papers-06-15-LRAI-Cyber-Security-White-Papers-06-15-LR
AI-Cyber-Security-White-Papers-06-15-LRBill Besse
 
DBryant-Cybersecurity Challenge
DBryant-Cybersecurity ChallengeDBryant-Cybersecurity Challenge
DBryant-Cybersecurity Challengemsdee3362
 
Tripwire_UK_Executive_Cybersecurity_Literacy_Survey
Tripwire_UK_Executive_Cybersecurity_Literacy_SurveyTripwire_UK_Executive_Cybersecurity_Literacy_Survey
Tripwire_UK_Executive_Cybersecurity_Literacy_SurveyMelloney Jewell
 
Ijnsa050201
Ijnsa050201Ijnsa050201
Ijnsa050201IJNSA Journal
 
OverseeCyberSecurityAsHackersSeekToInfiltrate
OverseeCyberSecurityAsHackersSeekToInfiltrateOverseeCyberSecurityAsHackersSeekToInfiltrate
OverseeCyberSecurityAsHackersSeekToInfiltrateKashif Ali
 
vision 2020 testimony
vision 2020 testimonyvision 2020 testimony
vision 2020 testimonyRob Arnold
 
Contemporary Cyber Security Social Engineering Solutions, Measures, Policies,...
Contemporary Cyber Security Social Engineering Solutions, Measures, Policies,...Contemporary Cyber Security Social Engineering Solutions, Measures, Policies,...
Contemporary Cyber Security Social Engineering Solutions, Measures, Policies,...CSCJournals
 
Fdic ffiec cyber_security_assessments
Fdic ffiec cyber_security_assessmentsFdic ffiec cyber_security_assessments
Fdic ffiec cyber_security_assessmentsKen M. Shaurette
 
2017 FS-ISAC Security Conference
2017 FS-ISAC Security Conference2017 FS-ISAC Security Conference
2017 FS-ISAC Security ConferenceDavid Sweigert
 
Volume2 chapter1 security
Volume2 chapter1 securityVolume2 chapter1 security
Volume2 chapter1 securityat MicroFocus Italy ❖✔
 
The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020
The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020
The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020Jessica Graf
 
Countering Advanced Persistent Threats
Countering Advanced Persistent ThreatsCountering Advanced Persistent Threats
Countering Advanced Persistent ThreatsBooz Allen Hamilton
 
Cyber for Counties Guidebook
Cyber for Counties Guidebook Cyber for Counties Guidebook
Cyber for Counties Guidebook Kristin Judge
 
Perception Gaps in Cyber Resilience: What Are Your Blind Spots?
Perception Gaps in Cyber Resilience: What Are Your Blind Spots?Perception Gaps in Cyber Resilience: What Are Your Blind Spots?
Perception Gaps in Cyber Resilience: What Are Your Blind Spots?Sarah Nirschl
 
Mapping Application Security to Business Value - Redspin Information Security
Mapping Application Security to Business Value - Redspin Information SecurityMapping Application Security to Business Value - Redspin Information Security
Mapping Application Security to Business Value - Redspin Information SecurityRedspin, Inc.
 
Improving cyber-security through acquisition
Improving cyber-security through acquisitionImproving cyber-security through acquisition
Improving cyber-security through acquisitionChristopher Dorobek
 
How Cyber Resilient are we?
How Cyber Resilient are we?How Cyber Resilient are we?
How Cyber Resilient are we?CIO Academy Asia Community
 
2013 Incident Response Survey
2013 Incident Response Survey2013 Incident Response Survey
2013 Incident Response SurveyFireEye, Inc.
 
2018 State of Cyber Resilience for Insurance
2018 State of Cyber Resilience for Insurance2018 State of Cyber Resilience for Insurance
2018 State of Cyber Resilience for InsuranceAccenture Insurance
 
csxnewsletter
csxnewslettercsxnewsletter
csxnewsletterDominic Vogel
 
2017 global-cyber-risk-transfer-report-final
2017 global-cyber-risk-transfer-report-final2017 global-cyber-risk-transfer-report-final
2017 global-cyber-risk-transfer-report-finalΔρ. Γιώργος K. Κασάπης
 
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of CybercrimeCyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of CybercrimeErnst & Young
 
Wef risk responsibility_hyperconnectedworld_report_2014
Wef risk responsibility_hyperconnectedworld_report_2014Wef risk responsibility_hyperconnectedworld_report_2014
Wef risk responsibility_hyperconnectedworld_report_2014Silvia Cardona
 
Mark Lanterman - The Risk Report October 2015
Mark Lanterman - The Risk Report October 2015Mark Lanterman - The Risk Report October 2015
Mark Lanterman - The Risk Report October 2015Mark Lanterman
 
idg_secops-solutions
idg_secops-solutionsidg_secops-solutions
idg_secops-solutionsJonny Nässlander
 
1. security 20 20 - ebook-vol2
1. security 20 20 - ebook-vol21. security 20 20 - ebook-vol2
1. security 20 20 - ebook-vol2Adela Cocic
 
Heidi
HeidiHeidi
Heidikategat
 
Dgmdv 1
Dgmdv 1Dgmdv 1
Dgmdv 1Scientia Groups
 
Cybercriminals target online banking
Cybercriminals target online bankingCybercriminals target online banking
Cybercriminals target online bankingScientia Groups
 

Weitere ähnliche Inhalte

Was ist angesagt?

Fdic ffiec cyber_security_assessments
Fdic ffiec cyber_security_assessmentsFdic ffiec cyber_security_assessments
Fdic ffiec cyber_security_assessmentsKen M. Shaurette
 
2017 FS-ISAC Security Conference
2017 FS-ISAC Security Conference2017 FS-ISAC Security Conference
2017 FS-ISAC Security ConferenceDavid Sweigert
 
The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020
The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020
The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020Jessica Graf
 
Countering Advanced Persistent Threats
Countering Advanced Persistent ThreatsCountering Advanced Persistent Threats
Countering Advanced Persistent ThreatsBooz Allen Hamilton
 
Cyber for Counties Guidebook
Cyber for Counties Guidebook Cyber for Counties Guidebook
Cyber for Counties Guidebook Kristin Judge
 
Perception Gaps in Cyber Resilience: What Are Your Blind Spots?
Perception Gaps in Cyber Resilience: What Are Your Blind Spots?Perception Gaps in Cyber Resilience: What Are Your Blind Spots?
Perception Gaps in Cyber Resilience: What Are Your Blind Spots?Sarah Nirschl
 
Mapping Application Security to Business Value - Redspin Information Security
Mapping Application Security to Business Value - Redspin Information SecurityMapping Application Security to Business Value - Redspin Information Security
Mapping Application Security to Business Value - Redspin Information SecurityRedspin, Inc.
 
Improving cyber-security through acquisition
Improving cyber-security through acquisitionImproving cyber-security through acquisition
Improving cyber-security through acquisitionChristopher Dorobek
 
2013 Incident Response Survey
2013 Incident Response Survey2013 Incident Response Survey
2013 Incident Response SurveyFireEye, Inc.
 
2018 State of Cyber Resilience for Insurance
2018 State of Cyber Resilience for Insurance2018 State of Cyber Resilience for Insurance
2018 State of Cyber Resilience for InsuranceAccenture Insurance
 
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of CybercrimeCyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of CybercrimeErnst & Young
 
Wef risk responsibility_hyperconnectedworld_report_2014
Wef risk responsibility_hyperconnectedworld_report_2014Wef risk responsibility_hyperconnectedworld_report_2014
Wef risk responsibility_hyperconnectedworld_report_2014Silvia Cardona
 
Mark Lanterman - The Risk Report October 2015
Mark Lanterman - The Risk Report October 2015Mark Lanterman - The Risk Report October 2015
Mark Lanterman - The Risk Report October 2015Mark Lanterman
 
1. security 20 20 - ebook-vol2
1. security 20 20 - ebook-vol21. security 20 20 - ebook-vol2
1. security 20 20 - ebook-vol2Adela Cocic
 

Was ist angesagt? (20)

Fdic ffiec cyber_security_assessments
Fdic ffiec cyber_security_assessmentsFdic ffiec cyber_security_assessments
Fdic ffiec cyber_security_assessments
 
2017 FS-ISAC Security Conference
2017 FS-ISAC Security Conference2017 FS-ISAC Security Conference
2017 FS-ISAC Security Conference
 
Volume2 chapter1 security
Volume2 chapter1 securityVolume2 chapter1 security
Volume2 chapter1 security
 
The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020
The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020
The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020
 
Countering Advanced Persistent Threats
Countering Advanced Persistent ThreatsCountering Advanced Persistent Threats
Countering Advanced Persistent Threats
 
Cyber for Counties Guidebook
Cyber for Counties Guidebook Cyber for Counties Guidebook
Cyber for Counties Guidebook
 
Perception Gaps in Cyber Resilience: What Are Your Blind Spots?
Perception Gaps in Cyber Resilience: What Are Your Blind Spots?Perception Gaps in Cyber Resilience: What Are Your Blind Spots?
Perception Gaps in Cyber Resilience: What Are Your Blind Spots?
 
Mapping Application Security to Business Value - Redspin Information Security
Mapping Application Security to Business Value - Redspin Information SecurityMapping Application Security to Business Value - Redspin Information Security
Mapping Application Security to Business Value - Redspin Information Security
 
Improving cyber-security through acquisition
Improving cyber-security through acquisitionImproving cyber-security through acquisition
Improving cyber-security through acquisition
 
How Cyber Resilient are we?
How Cyber Resilient are we?How Cyber Resilient are we?
How Cyber Resilient are we?
 
2013 Incident Response Survey
2013 Incident Response Survey2013 Incident Response Survey
2013 Incident Response Survey
 
2018 State of Cyber Resilience for Insurance
2018 State of Cyber Resilience for Insurance2018 State of Cyber Resilience for Insurance
2018 State of Cyber Resilience for Insurance
 
csxnewsletter
csxnewslettercsxnewsletter
csxnewsletter
 
2017 global-cyber-risk-transfer-report-final
2017 global-cyber-risk-transfer-report-final2017 global-cyber-risk-transfer-report-final
2017 global-cyber-risk-transfer-report-final
 
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of CybercrimeCyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
 
Wef risk responsibility_hyperconnectedworld_report_2014
Wef risk responsibility_hyperconnectedworld_report_2014Wef risk responsibility_hyperconnectedworld_report_2014
Wef risk responsibility_hyperconnectedworld_report_2014
 
Mark Lanterman - The Risk Report October 2015
Mark Lanterman - The Risk Report October 2015Mark Lanterman - The Risk Report October 2015
Mark Lanterman - The Risk Report October 2015
 
idg_secops-solutions
idg_secops-solutionsidg_secops-solutions
idg_secops-solutions
 
1. security 20 20 - ebook-vol2
1. security 20 20 - ebook-vol21. security 20 20 - ebook-vol2
1. security 20 20 - ebook-vol2
 
Heidi
HeidiHeidi
Heidi
 

Andere mochten auch

Cybercriminals target online banking
Cybercriminals target online bankingCybercriminals target online banking
Cybercriminals target online bankingScientia Groups
 
Quarterly Marketing Call Presentation 1 22 10
Quarterly Marketing Call Presentation 1 22 10Quarterly Marketing Call Presentation 1 22 10
Quarterly Marketing Call Presentation 1 22 10Scientia Groups
 
Partners Guide - System Center
Partners Guide - System CenterPartners Guide - System Center
Partners Guide - System CenterScientia Groups
 
System Center 2012 R2 - Enterprise Automation
System Center 2012 R2 - Enterprise AutomationSystem Center 2012 R2 - Enterprise Automation
System Center 2012 R2 - Enterprise AutomationScientia Groups
 

Andere mochten auch (7)

Dgmdv 1
Dgmdv 1Dgmdv 1
Dgmdv 1
 
Cybercriminals target online banking
Cybercriminals target online bankingCybercriminals target online banking
Cybercriminals target online banking
 
Zeus and Antivirus
Zeus and AntivirusZeus and Antivirus
Zeus and Antivirus
 
Quarterly Marketing Call Presentation 1 22 10
Quarterly Marketing Call Presentation 1 22 10Quarterly Marketing Call Presentation 1 22 10
Quarterly Marketing Call Presentation 1 22 10
 
Odijk - Singel 101
Odijk - Singel 101Odijk - Singel 101
Odijk - Singel 101
 
Partners Guide - System Center
Partners Guide - System CenterPartners Guide - System Center
Partners Guide - System Center
 
System Center 2012 R2 - Enterprise Automation
System Center 2012 R2 - Enterprise AutomationSystem Center 2012 R2 - Enterprise Automation
System Center 2012 R2 - Enterprise Automation
 

Ähnlich wie CISO Survey Report 2010

2013-ISC2-Global-Information-Security-Workforce-Study
2013-ISC2-Global-Information-Security-Workforce-Study2013-ISC2-Global-Information-Security-Workforce-Study
2013-ISC2-Global-Information-Security-Workforce-StudyTam Nguyen
 
Prof m01-2013 global information security workforce study - final
Prof m01-2013 global information security workforce study - finalProf m01-2013 global information security workforce study - final
Prof m01-2013 global information security workforce study - finalSelectedPresentations
 
Cybersecurity Risk -- Redefing real risk measurement for the CISO
Cybersecurity Risk -- Redefing real risk measurement for the CISOCybersecurity Risk -- Redefing real risk measurement for the CISO
Cybersecurity Risk -- Redefing real risk measurement for the CISODavid Sweigert
 
Security - intelligence - maturity-model-ciso-whitepaper
Security - intelligence - maturity-model-ciso-whitepaperSecurity - intelligence - maturity-model-ciso-whitepaper
Security - intelligence - maturity-model-ciso-whitepaperCMR WORLD TECH
 
Module 2 - Cybersecurity On the Defense.pdf
Module 2 - Cybersecurity On the Defense.pdfModule 2 - Cybersecurity On the Defense.pdf
Module 2 - Cybersecurity On the Defense.pdfHumphrey Humphrey
 
Improved-Cybersecurity-cooperation
Improved-Cybersecurity-cooperationImproved-Cybersecurity-cooperation
Improved-Cybersecurity-cooperationrrepko
 
Guide to high volume data sources for SIEM
Guide to high volume data sources for SIEMGuide to high volume data sources for SIEM
Guide to high volume data sources for SIEMJoseph DeFever
 
Cybersecurity: Perceptions & Practices
Cybersecurity: Perceptions & PracticesCybersecurity: Perceptions & Practices
Cybersecurity: Perceptions & PracticesJoseph DeFever
 
SANS 2013 Critical Security Controls Survey
SANS 2013 Critical Security Controls SurveySANS 2013 Critical Security Controls Survey
SANS 2013 Critical Security Controls SurveyEdgar Alejandro Villegas
 
Discussion Questions The difficulty in predicting the future is .docx
Discussion Questions The difficulty in predicting the future is .docxDiscussion Questions The difficulty in predicting the future is .docx
Discussion Questions The difficulty in predicting the future is .docxduketjoy27252
 
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...FireEye, Inc.
 
Improving Collaboration Through Identity Management
Improving Collaboration Through Identity ManagementImproving Collaboration Through Identity Management
Improving Collaboration Through Identity ManagementGov BizCouncil
 
Cyber Security Trends - Where the Industry Is Heading in an Uncertainty
Cyber Security Trends - Where the Industry Is Heading in an UncertaintyCyber Security Trends - Where the Industry Is Heading in an Uncertainty
Cyber Security Trends - Where the Industry Is Heading in an UncertaintyOrganization
 
LD7009 Information Assurance And Risk Management.docx
LD7009 Information Assurance And Risk Management.docxLD7009 Information Assurance And Risk Management.docx
LD7009 Information Assurance And Risk Management.docxstirlingvwriters
 
Global Partnership Key to Cyber Security
Global Partnership Key to Cyber SecurityGlobal Partnership Key to Cyber Security
Global Partnership Key to Cyber SecurityDominic Karunesudas
 
Cyber Risk Quantification for Employees | Safe Security
Cyber Risk Quantification for Employees | Safe SecurityCyber Risk Quantification for Employees | Safe Security
Cyber Risk Quantification for Employees | Safe SecurityRahul Tyagi
 
State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...at MicroFocus Italy ❖✔
 
State of Security Operations 2016
State of Security Operations 2016State of Security Operations 2016
State of Security Operations 2016Tim Grieveson
 

Ähnlich wie CISO Survey Report 2010 (20)

2013-ISC2-Global-Information-Security-Workforce-Study
2013-ISC2-Global-Information-Security-Workforce-Study2013-ISC2-Global-Information-Security-Workforce-Study
2013-ISC2-Global-Information-Security-Workforce-Study
 
Prof m01-2013 global information security workforce study - final
Prof m01-2013 global information security workforce study - finalProf m01-2013 global information security workforce study - final
Prof m01-2013 global information security workforce study - final
 
Cybersecurity Risk -- Redefing real risk measurement for the CISO
Cybersecurity Risk -- Redefing real risk measurement for the CISOCybersecurity Risk -- Redefing real risk measurement for the CISO
Cybersecurity Risk -- Redefing real risk measurement for the CISO
 
Security - intelligence - maturity-model-ciso-whitepaper
Security - intelligence - maturity-model-ciso-whitepaperSecurity - intelligence - maturity-model-ciso-whitepaper
Security - intelligence - maturity-model-ciso-whitepaper
 
Module 2 - Cybersecurity On the Defense.pdf
Module 2 - Cybersecurity On the Defense.pdfModule 2 - Cybersecurity On the Defense.pdf
Module 2 - Cybersecurity On the Defense.pdf
 
Improved-Cybersecurity-cooperation
Improved-Cybersecurity-cooperationImproved-Cybersecurity-cooperation
Improved-Cybersecurity-cooperation
 
The meaning of security in the 21st century
The meaning of security in the 21st centuryThe meaning of security in the 21st century
The meaning of security in the 21st century
 
Guide to high volume data sources for SIEM
Guide to high volume data sources for SIEMGuide to high volume data sources for SIEM
Guide to high volume data sources for SIEM
 
Cybersecurity: Perceptions & Practices
Cybersecurity: Perceptions & PracticesCybersecurity: Perceptions & Practices
Cybersecurity: Perceptions & Practices
 
SANS 2013 Critical Security Controls Survey
SANS 2013 Critical Security Controls SurveySANS 2013 Critical Security Controls Survey
SANS 2013 Critical Security Controls Survey
 
Discussion Questions The difficulty in predicting the future is .docx
Discussion Questions The difficulty in predicting the future is .docxDiscussion Questions The difficulty in predicting the future is .docx
Discussion Questions The difficulty in predicting the future is .docx
 
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...
 
Improving Collaboration Through Identity Management
Improving Collaboration Through Identity ManagementImproving Collaboration Through Identity Management
Improving Collaboration Through Identity Management
 
Cyber Security Trends - Where the Industry Is Heading in an Uncertainty
Cyber Security Trends - Where the Industry Is Heading in an UncertaintyCyber Security Trends - Where the Industry Is Heading in an Uncertainty
Cyber Security Trends - Where the Industry Is Heading in an Uncertainty
 
LD7009 Information Assurance And Risk Management.docx
LD7009 Information Assurance And Risk Management.docxLD7009 Information Assurance And Risk Management.docx
LD7009 Information Assurance And Risk Management.docx
 
Global Partnership Key to Cyber Security
Global Partnership Key to Cyber SecurityGlobal Partnership Key to Cyber Security
Global Partnership Key to Cyber Security
 
Cyber Risk Quantification for Employees | Safe Security
Cyber Risk Quantification for Employees | Safe SecurityCyber Risk Quantification for Employees | Safe Security
Cyber Risk Quantification for Employees | Safe Security
 
7350_RiskWatch-Summer2015-Maligec
7350_RiskWatch-Summer2015-Maligec7350_RiskWatch-Summer2015-Maligec
7350_RiskWatch-Summer2015-Maligec
 
State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...
 
State of Security Operations 2016
State of Security Operations 2016State of Security Operations 2016
State of Security Operations 2016
 

Mehr von Scientia Groups

System Center 2012 Orchestrator R2 - Enterprise IT Automation
System Center 2012 Orchestrator R2 - Enterprise IT AutomationSystem Center 2012 Orchestrator R2 - Enterprise IT Automation
System Center 2012 Orchestrator R2 - Enterprise IT AutomationScientia Groups
 
System Center Endpoint Protection
System Center Endpoint ProtectionSystem Center Endpoint Protection
System Center Endpoint ProtectionScientia Groups
 
Brute forcing Wi-Fi Protected Setup
Brute forcing Wi-Fi Protected SetupBrute forcing Wi-Fi Protected Setup
Brute forcing Wi-Fi Protected SetupScientia Groups
 
NIST Definition of Cloud Computing
NIST Definition of Cloud ComputingNIST Definition of Cloud Computing
NIST Definition of Cloud ComputingScientia Groups
 
Delivering a secure and fast boot experience with uefi
Delivering a secure and fast boot experience with uefiDelivering a secure and fast boot experience with uefi
Delivering a secure and fast boot experience with uefiScientia Groups
 
NSA Best Practices Datasheets
NSA Best Practices DatasheetsNSA Best Practices Datasheets
NSA Best Practices DatasheetsScientia Groups
 
Projecting Enterprise Security Requirements on the Cloud
Projecting Enterprise Security Requirements on the CloudProjecting Enterprise Security Requirements on the Cloud
Projecting Enterprise Security Requirements on the CloudScientia Groups
 
2010 1 22 Partner Marketing Call Welcome Rotating Deck
2010 1 22 Partner Marketing Call Welcome Rotating Deck2010 1 22 Partner Marketing Call Welcome Rotating Deck
2010 1 22 Partner Marketing Call Welcome Rotating DeckScientia Groups
 

Mehr von Scientia Groups (8)

System Center 2012 Orchestrator R2 - Enterprise IT Automation
System Center 2012 Orchestrator R2 - Enterprise IT AutomationSystem Center 2012 Orchestrator R2 - Enterprise IT Automation
System Center 2012 Orchestrator R2 - Enterprise IT Automation
 
System Center Endpoint Protection
System Center Endpoint ProtectionSystem Center Endpoint Protection
System Center Endpoint Protection
 
Brute forcing Wi-Fi Protected Setup
Brute forcing Wi-Fi Protected SetupBrute forcing Wi-Fi Protected Setup
Brute forcing Wi-Fi Protected Setup
 
NIST Definition of Cloud Computing
NIST Definition of Cloud ComputingNIST Definition of Cloud Computing
NIST Definition of Cloud Computing
 
Delivering a secure and fast boot experience with uefi
Delivering a secure and fast boot experience with uefiDelivering a secure and fast boot experience with uefi
Delivering a secure and fast boot experience with uefi
 
NSA Best Practices Datasheets
NSA Best Practices DatasheetsNSA Best Practices Datasheets
NSA Best Practices Datasheets
 
Projecting Enterprise Security Requirements on the Cloud
Projecting Enterprise Security Requirements on the CloudProjecting Enterprise Security Requirements on the Cloud
Projecting Enterprise Security Requirements on the Cloud
 
2010 1 22 Partner Marketing Call Welcome Rotating Deck
2010 1 22 Partner Marketing Call Welcome Rotating Deck2010 1 22 Partner Marketing Call Welcome Rotating Deck
2010 1 22 Partner Marketing Call Welcome Rotating Deck
 

Kürzlich hochgeladen

unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 

Kürzlich hochgeladen (20)

unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 

CISO Survey Report 2010

  • 1. The 2010 State of Cybersecurity from the Federal CISO’s Perspective — An (ISC)2 Report Garcia StrateGieS, LLc
  • 2. The 2010 State of Cybersecurity from the Federal CISO’s Perspective – An (ISC)2® Report EXECUTIVE SUMMARY In May 2009, President Barack Obama, in the first-ever presidential speech dedicated entirely to cybersecurity, proclaimed that the nation’s digital infrastructure should be considered a “strategic national asset.” Those weighty words affirmed what specialists in the Internet security field have long recognized and built careers around. But the fact that those words were uttered by the President of the United States in a nationally televised address ushered in a new era of national awareness – and perhaps government activism — about the ongoing and pervasive vulnerabilities and threats that government, business, academic and personal users face in our online world every day. The federal government’s cadre of chief information security officers (CISOs) – no strangers to the ebb and flow of political tides that affect their mission – currently view this emergent national awareness with an ambivalent mix of hope and wonder. They see greater awareness but still insufficient resources to protect “There is more attention to and our networks; better tools and training but increasing threats and awareness of the magnitude of attacks on our infrastructures; and more security initiatives within and the problem; attention leads to across the agencies, but organizational structures not yet equipped to resources and action.” get ahead of our adversaries and our own operational flaws. We are seeing measurable progress; indeed, trend lines are favorable, as suggested in the survey findings of the second annual “State of Cybersecurity from the Federal CISO’s Perspective – An (ISC)2 Report”. A joint effort between (ISC)2, Cisco and Garcia Strategies, this report is intended as a tool to track developments in our ability to assess and protect the security of those strategic national assets entrusted to our public servants. On the front lines of this ongoing battle are the nation’s federal CISOs, and we present these findings to reflect their views for the benefit of their peers, policymakers and the public. KEY SURVEY FINDINGS If there is one theme that characterizes the results of this year’s survey, we turn to the well-known aphorism by Socrates - “know thyself” - which suggests that in order for us to truly understand the world, we must first understand ourselves. In cybersecurity, this means that awareness of our challenges and opportunities is the first step toward being able to do something about it - to change the status quo. 2
  • 3. Garcia StrateGieS, LLc This survey organizes CISOs’ perspectives into four categories: security posture, workforce effectiveness, resources and tools and policy and emerging initiatives. First, what federal CISOs see in the nation’s security posture in 2010 is not significantly different from that reported in 2009. Half believe we’re better off than last year, while the other half see that we’re worse off or no better in our ability to protect our networks. Half of the CISOs in 2010, fewer than in 2009, report that they feel they have a significant ability to impact the security posture of their agency. Yet they continue to see vulnerabilities and incidents. They identify software, poorly trained users and/or insider threats as continuing problems that they rate as even more severe than external threats such as nation states, Website vulnerabilities and spear phishing. Looking at security through the lens of workforce effectiveness, CISOs continue to show overall satisfaction with their jobs, yet their job requirements have evolved beyond the technical, with half of the respondents being asked to deliver more managerial, policy and political responsibilities in their roles. So they rely heavily on well-trained staff with highly valued professional certifications and are turning to Scholarship for Service students and contractor conversions for many of their hiring needs. Outside of their own control, CISOs must rely on a variety of internal and external tools and resources to get their jobs done – whether it’s technology, Congressional funding, bureaucratic operations or cross-agency protective initiatives. Among these areas, CISOs’ satisfaction is mixed. They continue to deploy intrusion detection and intrusion prevention technologies and, compared to 2009, have an improved view of the cross-agency “Einstein” IDS/IPS program managed by the Department of Homeland Security’s U.S.-CERT. And while many are taking advantage of the Information Systems Security Line of Business (ISS-LOB), only 10 percent are satisfied with their own agency HR and procurement operations to facilitate their mission execution, and even less have any confidence in the ability of Congress to understand their mission and provide adequate resources. These results square with CISOs’ perspectives about policy and emerging initiatives, in which more than half of the CISOs would advise the new White House Cybersecurity Coordinator, Professor Howard A. Schmidt, CISSP, CSSLP, Fellow of (ISC)2, to place increased agency funding and enforcement of security mandates at the top of his priority list. This suggests the need for a strong and proactive educational outreach strategy with Congress. As for emerging initiatives, cloud computing 3
  • 4. may be a part of a broad government initiative, but almost ¾ of respondents admit they’re not using the cloud because of the range of security concerns they need to understand before deploying their data and applications in the cloud. Those same concerns, however, have not stopped adoption of Web 2.0 social networking applications to enhance the ubiquity and usability of government services. Seventy-eight percent of CISOs who use Web 2.0 services say they have enforced security policies in place, suggesting considerable alignment of new services with security policies. RECOMMENDATIONS These survey results suggest that, from a broad perspective, the issue of cybersecurity has matured in the minds of the American public and the federal stewards of our information infrastructure, such that we are coming to “know thyself,” with the awareness of our challenges as a starting point for improvement. From the results of this survey and the trends that emerged from last year’s report and other sources, we can advance a few key recommendations that will build on the progress CISOs have made over the last several years. First, if our digital infrastructure is indeed a strategic national asset, then it is incumbent upon Congress to give CISOs sufficient funding to protect government networks. Digital pennies can save us analog dollars. Then, CISOs must use the appropriate tools for measuring risk and security and be held accountable for meeting their agency’s mission requirements. They cannot be held accountable for poorly defined and unfunded mandates. Second, CISOs need to be given the flexibility and creativity it takes to be competitive with the private sector in recruiting qualified and motivated staff. While CISOs clearly see certifications as an important measure of qualification, other factors like the ability to offer strong in-house training and hands-on experience must factor into hiring decisions. Third, CISOs and the government officials who support them need to do a better job of educating the Congress about the business case for how better security will improve government services, reduce costs for software maintenance and incident response and protect critical, sensitive data. If they succeed, the additional attention they receive from lawmakers may raise their visibility within their organizations and result in better operational support from functions such as human resources and procurement. Finally, consistent with one of the recommendations we made in 2009, there needs to be a continuing and stronger emphasis on protection and management of data, distinct from focusing too heavily on threats and attacks. As practitioners, CISOs report that they can maintain strong security in a way that protects privacy without infringing upon it, that we can have an open government policy of transparency while keeping security policies in place to protect sensitive information and that outsourcing services to the cloud does not mean outsourcing truly critical data. Decisions on security policy and implementation need to be considered through this prism of data management imperatives. 4
  • 5. Garcia StrateGieS, LLc SURVEY DETAILS DESPITE INCREASING ATTENTION TO TOOLS AND METRICS,THREATS STILL LOOM Federal CISOs are seeing greater awareness of their Most Useful Metric Tools Most Useful Metric Tools missions but not enough improvement in the security 11% CAG - 31% posture of the federal domain. Almost 50 percent 3% 31% SCAP - 27.5% of respondents say they have significant ability NIST 800-53 - 27.5% 27.5% FISMA - 3% to impact the security of their organization, but the Other - 11% same number say the security problem is either worse 27.5% or the same as it was one year ago. But CISOs believe we are potentially poised to see much better gains in our security posture. As one CISO observed, “There is more attention to and awareness of the magnitude of the problem; attention leads to resources and action.” “Metrics are unclear because of To build on their ability to improve their agency’s security posture, our inability to link compliance CISOs point to several useful tools in their arsenal. The Consensus Audit with reduction of impact.” Guidelines (CAG), Security Content Automation Protocol (SCAP) and the NIST 800-53 guidelines all receive high marks for being most useful. In addition, they almost universally (94 percent) believe that the government should include specific, mandatory security requirements in every major IT procurement. In this environment, 85 percent of these practitioners reported that continuous monitoring is the most useful metric for measuring the level of security. However, the ongoing evolution of threats makes measurement of our progress difficult. As one CISO observed, “Metrics are unclear because of our inability to link compliance with reduction of impact.” Asked to rank the number one threat in terms of severity, 27 percent identified exploitable software vulnerabilities, followed by 24 percent for insiders. Interestingly, however, 43 percent of CISOs blame insecure software for less than a quarter of detected security breaches. Only one in 15 Most SevereThreats Most Severe Threats respondents was able to claim that 75-100 percent 6% Exploitable Software Vulnerabilities - 27% of those breaches were due to insecure software. This 12% 27% Insiders - 24% suggests a possible anomaly based on the complexity Foreign Nation State - 21% 9% of managing multi-layered network security – that widely Website Vulnerability -9% 24% Poorly Trained Users -12% held assumptions about software vulnerabilities aren’t 21% Spear Phishing - 6% easily linked to attributable security incidents. 5
  • 6. THE NEED FOR FLEXIBILITY IN MANAGING OUR MOST IMPORTANT ASSET Many organizations today, whether government or private sector, have adopted the mantra, “people are our most important asset.” It is no different among federal CISOs, whether they’re concerned with their own job satisfaction or the quality of the people they need to manage their infrastructure. When asked about their level of job satisfaction, 63 percent of the CISOs confirmed they were either satisfied or very satisfied with their jobs, which is attributable in part to their strong belief that they have a significant impact on the security of their organizations. A motivated workforce is often a successful one. Solution or Problem? CISOs See Their Duties Becoming More: Still, half of the CISOs see their jobs taking on more managerial, policy and Technical 25.8% political elements on top of their existing technical duties, and they know they Managerial 51.6% can’t do it all alone. They, accordingly, Political-/ 54.8% lean significantly on a well-trained and Policy-Oriented experienced staff. Sixty-eight percent 0 20 40 60 80 100 of respondents say they have adequate Technical Managerial Political- / Policy-Oriented training resources, but equally important to them are professional certifications, which more than 70 percent ranked as high or very high in importance when hiring or promoting employees. A similar number believe that security certifications should be mandatory for security professionals across the government. This tracks closely with 2009 data, which showed 75 percent of CISOs advocating mandatory certifications across the government. The most prevalent certification held among the CISOs responding is the CISSP® (62 percent), followed by CISM (25 percent) and NSA-IAM (13 percent). Looking ahead to staff augmentation, CISOs estimate that contractor conversions and the private sector will each make up 30 percent of their hires, with a similar number from internal sources. In terms of tapping the talent of our next generation’s workforce in the Scholarship for Service (SFS) program, 44 percent of the CISOs expect to hire one to five SFS students, CISOs SeeTheir Duties Becoming More: 12 percent will hire more than six, while another 44 percent will not take advantage of this resource. OUTSIDE RESOURCES: PART OF THE SOLUTION OR PART OF THE PROBLEM? 54.8% This is likely the question many CISOs regularly ask about the outside influences that can help or hurt execution of their mission – whether it’s their internal HR and procurement department, security lines of business which allow agencies to outsource security expertise to other agencies, the DHS Einstein and TIC program for monitoring network traffic in and out of the .gov domain or mission authorization and appropriations from Congress. 6
  • 7. Garcia StrateGieS, LLc Solution oror Problem? Solution Problem? Looking at the numbers, CISOs are showing more confidence Einstein and TIC 27% 54% 19% in the Einstein program, which was characterized in last year’s report Procurement and HR 40% 50% 10% as frustrating and too externally Congress 56% 37% 7% focused. In 2010, almost ¾ of the respondents report they are 0 20 40 60 80 100 satisfied to somewhat satisfied Not Satisfied Somewhat Satisfied Very Satisfied with this cross-agency intrusion detection/prevention program, which may be due in part by the fact that the same number are complementing the effort with the use of IDS and IPS on their networks, as well as automated ID management and many other sophisticated security tools. Relying on others to support their efforts, CISOs are outsourcing select security expertise to other agencies through the ISS-LOB, with 62 percent participating in the program and 10 percent serving as lines of business for other agencies.† That level of CISO confidence, however, is not so strong among their own agency human resources and procurement functions, which they depend on for timely and high-quality hiring and technology acquisitions, with 40 percent expressing no satisfaction with those performance functions. Similarly, when it comes time to “show me the money,” 57 percent of CISOs are not confident that Congress understands their mission well enough to provide sufficient funding – either for hiring or technology. There may be some promising signs, however, in pending legislation that recognizes these recruitment challenges by requiring an annual report on hiring effectiveness. HEY, YOU, GET ON TO MY CLOUD How the Cloud Enables Security How the Cloud Enables Security The continual march of technology brings a stampede 11.1% ID-RBAC - 40.7% of vulnerabilities. CISOs must constantly assess how new Architecture improvements - 37% 11.1% technologies and capabilities can enable or enhance their 40.7% Improved failover and service-level performance - 11.1% agency missions without introducing new, unacceptable Other - 11.1% 37% risks. Looking at some of these emerging technologies facing CISOs, cloud computing and Web 2.0 services † The ISS-LOB designates agencies as “shared service centers” for lines of business in FISMA reporting; certification and accreditation; IT security awareness training; and Trusted Internet Connections Access Providers (TICAPs). 7
  • 8. Biggest Security Concerns with the Cloud Biggest Security Concerns with the Cloud show business promise but security peril. 72 percent 3.6% of CISOs in the survey report that they do not yet Replicating security policy - 44.8% 10.3% use cloud computing because of the high levels of Data Loss prevention - 20.7% 10.3% 44.8% Adapt Einstein/TIC - 10.3% uncertainty around being able to replicate IT security 10.3% COOP Compliance -10.3% policy in the cloud (45 percent) and data loss prevention HSPD 12 -10.3% 20.7% Other - 3.6% (21 percent). Those who see promise in cloud computing, conversely, also see potential for improving security, particularly through ID-based network solutions that employ role-based access controls, or RBAC (41 percent), as well as design improvements that enable the cloud with a strategic architecture (37 percent). All CISOs reporting that they do use cloud computing services for mission delivery say they have enforced security policies in place, which suggests there could be some useful templates in place as reference for other CISOs wanting to explore their options. While experience continues to show that we need to be circumspect in the use of Web 2.0, social networking and P2P technologies, many CISOs see less complication in the security issues surrounding them, as 62 percent are using those services as part of their mission delivery system. Almost 80 percent of those using those services claim to have enforced security policies in place. This suggests a general recognition of the power of those tools in implementing the Obama Administration’s Open Government initiative as long as there is control over distributed usage among employees. The Marine Corps, for example, announced on March 29, 2010, that it is lifting the ban on the use of social networking to allow those out in the field to maintain communications with home. In balancing the sometimes competing demands between information transparency and protection and information security and privacy, responding CISOs do not feel as conflicted as the policy debates would suggest. Three-quarters of CISOs report that they have data security White House CybersecurityCoordinator for a Day White House Cybersecurity Coordinator for a Day policies in place to balance Recommended Highest Priorities Recommended Highest Priorities the needs of transparency and 3% 7% Improve agency funding for and enforcement of security mandates - 21% 21% TIC & Einstein deployment and implementation - 21% information protection. About 9% Expand cyber cordination to states and private sector - 18% the same number do not 9% Public awareness -12% believe that privacy protections 12% Develop a national cyber incident response capability - 9% 21% Develop a national cyber training institute - 9% undermine the needs of security 18% International collaboration and deterrence strategy - 3% or that security monitoring Other - 7 % technologies necessarily 8
  • 9. Garcia StrateGieS, LLc encroach on privacy rights. This perhaps goes to the heart of reconciling what we are trying to protect versus what we are trying to stop. Finally, CISOs were asked to be the White House Cybersecurity Coordinator for a day and make recommendations for what should be the highest priorities for that office. Not surprisingly, improved agency funding ranks highest, followed by effective TIC/Einstein deployment to protect agency networks. Almost as many – 18 percent – acknowledge the importance of expanding cybersecurity coordination to states and the private sector. CONCLUSION In our vastly interconnected digital world, national understanding of “cybersecurity” as an issue and a discipline has evolved from ignorance to discovery, to what is now sober yet somewhat disorganized attention. CISOs, policymakers, corporate America and the general public are each at different stages of “knowing thyself” – knowing their risks and responsibilities in the digital infrastructure. Our challenge is to coalesce around a shared understanding and a unity of purpose toward a security regimen that in the end becomes habit. The good news from the survey is that CISOs know what their challenges are, and most have a firm understanding of what needs to be done to overcome them. They know they need to build a workforce with a diversity of talents, using a variety of technological tools. They’re also aware that their biggest threat continues to come from internal vulnerabilities. Moreover, knowing that their success depends on a network of support mechanisms within and outside their agencies, such as security lines of business or US-CERT’s Einstein program, many federal CISOs express a general sense of cautious optimism. But they know we’re not there yet. Less auspicious in the findings is the fact that we’ve not yet organized that awareness into an effective culture of cybersecurity across the government’s political and operational communities. CISOs understand they’re working in an environment where all of the moving parts, such as agency business operations, Congressional buy-in and funding, evolving technologies and standards of practice, need to be moving together in the same direction.Yet they point out a continuing lack of unified momentum. Observed from above, these moving parts might be seen as taking two steps forward, one step back and one to the side before righting themselves forward again. In the short term, CISOs will look to the power behind the White House Cybersecurity Coordinator’s office to drive the changes that will ultimately show improvement. Their hope is this: first, make the case to the Congress; second, secure the funding stream; and third, hold CISOs accountable to clear and measurable standards of security improvement. It will be an honest deal and good governance and would show the business community and the general public that the government can lead by example. 9
  • 10. BACKGROUND DATA In your staffing plans, If your agency is using Web 2.0/social what percentage networking services, do you have enforced Percentagehires willWill Come From of your of Hires come from: security policies in place? Web 2.0 Social Networking Security Policies in Place Scholarship for Services Program - 20.1% Yes - 78% 20.1% 22% 28.9% Internal - 29.8% No - 22% Other agencies - 21.3% 29.8% Contractor conversions - 30.2% 30.2% Private Sector - 28.9% 78% 21.3% Is your agency taking advantage of the What value do you place Security Lines of Business provided Taking Advantage of The Security when Business on professional certificationsLines ofhiring by other agencies? Value of Professional Certifications or promoting employees? Provided by Other Agencies 9.7% Yes - 61.3% Value 1 - 6.5% 6.5% No - 29.0% 32.3% Value 2 - 9.7% My agency provides a service - 9.7% Value 3 - 12.9% 29% 9.7% Value 4 - 38.7% 61.3% 38.7% Value 5 - 32.3% 12.9% (NOTE: 5 is highly valuable) For the President’s Open Government Directive, does your agency have data security policies in place to reconcile the needs for information transparency President’s Open Government Directive Security Policies and information protection? For Information Transparency and Information Protection Yes - 74.1% 25.9% No - 25.9% 74.1% 10
  • 11. Garcia StrateGieS, LLc What security technologies do you believe will raise the bar for Raising the Bar for System and Network Security: system and network security? CISO’s Technology Choices Network Monitoring & Intelligence - 83.9% Improved IDS/IPS - 74.2% Automated ID Management - 71% Web Security Apps - 67.7% Policy Mgt. & Audit - 51.6% Other - 12.9% 0 20 40 60 80 100 Number of Respondents METHODOLOGIES AND ACKNOWLEDGEMENTS This second annual federal CISO survey was made available to a cross-section of 85 federal agency and bureau-level chief information security officers (CISOs) and information security officers (ISOs) during the 1st quarter of 2010. Thirty-six of those reached participated by using an online survey tool that gathered anonymous responses to 31 questions. The survey request went out to personnel from defense, civilian, law enforcement and intelligence agencies. We greatly appreciate the cooperation of these front-line CISOs in advancing the state of knowledge about our federal information and information systems security. Greg Garcia, President, Garcia Strategies, LLC W. Hord Tipton, CISSP-ISSEP, CAP, CISA, Executive Director of (ISC)2 11
  • 12. SPONSORS (ISC)²® is the not-for-profit global leader in educating and certifying information security professionals throughout their careers. With over 68,000 certified members in more than 135 countries, (ISC)² issues the Certified Information Systems Security Professional (CISSP®) and related concentrations, Certified Secure Software Lifecycle Professional (CSSLP®), Certification and Accreditation Professional (CAP®), and Systems Security Certified Practitioner (SSCP®) credentials to those meeting necessary competency requirements. Learn more at www.isc2.org. Cisco is the worldwide leader in networking and IT infrastructure that transforms how governments connect, communicate and collaborate with secure voice, video and data to constituents, end-users and other governments. Cisco¹s Cybersecurity solutions enable government employees to access information securely from any client across any network. Cisco Collaboration,Virtualization,Video and Secure Borderless Network technologies enable governments to meet their mission. Learn more at www.cisco.com/go/federal. Garcia StrateGieS, LLc Garcia Strategies, LLC provides strategic business development and government affairs advisory services for companies contributing to the national cybersecurity and emergency interoperable communications missions. The firm’s founder, Gregory T. Garcia, was the nation’s first Presidentially appointed Assistant Secretary for Cybersecurity and Communications with the U.S. Department of Homeland Security from 2006-2008. SECURITY TRANSCENDS TECHNOLOGY®