Defining the Role of the Chief Information Security Officer

The United States faces an impending “cyber Pearl Harbor,” according to former Defense Secretary Leon Panetta. Signs of the nation’s vulnerability include a recent hack of 20 million personnel records from a government agency and another hack of 40 million credit card accounts from Target.

Recognizing that cyberattacks target both government and private sector organizations, New York regulators are looking to bolster oversight of financial companies’ cybersecurity practices with a new rule that would require those companies to establish a cybersecurity program and designate a Chief Information Security Officer (CISO) to manage it. Other requirements include safeguarding information accessible to third-parties, building a cybersecurity workforce, and developing a response plan for cyber incidents.

Some have speculated that New York’s proposed rule will serve as a model for other states and the federal government; but as state and federal regulators grapple with how to best protect financial institutions, they would do well to study federal regulators’ experiences with protecting their own agencies. Just one month before New York unveiled its new proposed rule, the U.S. Government Accountability Office (GAO) released a report detailing its findings about how federal agencies’ CISOs have fared in managing their own cybersecurity programs.

The assessment, which evaluated 24 agencies and departments, had two goals. First, it sought to find out whether agencies had defined their CISOs’ roles in accordance with federal law and guidelines. Second, GAO wanted to identify the challenges that CISOs faced in developing and implementing their agencies’ security programs.

In reviewing how agencies had defined the roles of their CISOs, the assessment measured the agencies’ practices against the requirements of the Federal Information Security Modernization Act of 2014, as well as against guidance from the National Institute of Standards and Technology (NIST) and the Office of Management and Budget (OMB). The assessment identified 11 activities the CISO is responsible for, including periodic risk assessments, policies and procedures, security plans, training, incident response, and contingency planning, among others.

Of the 24 agencies, GAO found that only 11 had defined their CISO’s role for all activities. According to GAO, the remaining 13 agencies had only partially defined their CISO’s role and risked “limiting [the CISOs’] ability to effectively oversee these agencies’ information security programs.”

GAO also administered surveys to, and conducted interviews with, each of the CISOs to determine what challenges CISOs had faced in managing their cybersecurity programs.

The surveyed CISOs expressed a number of concerns. Eighteen reported competition between security and operations priorities, including that security personnel sometimes reported to their ordinary chain of command instead of the CISO, with the result that security concerns were under-prioritized. Additionally, coordination with other components, resource limitations, and quickly changing technology were each cited as obstacles to managing the programs. Ten CISOs also reported that their placement within the organization “challenged their ability to carry out their responsibilities” by, for example, blurring lines of authority and preventing adequate “access to agency leadership.”

According to GAO, at least one contributing factor to misalignment between agencies and their statutory responsibilities lies in what it characterized as OMB’s failure to “provide guidance on information security.” OMB’s Circular A-130 –intended to establish policies for managing federal information resources –states that agencies must “ensure that all personnel are held accountable for complying with agency-wide information security and privacy requirements and policies.” However, according to the assessment, the circular fails to “provide guidance on how agencies are to implement this requirement.” As a result, GAO believes that “agencies lack clarity on how to ensure that their CISOs have adequate authority to effectively carry out their duties.”

The assessment recognized that OMB and NIST have created some initiatives to assist agencies with meeting their cybersecurity obligations, including The National Initiative for Cybersecurity Education, Cybersecurity National Action Plan, and Cybersecurity Strategy and Implementation Plan, but denied that they adequately address the concerns voiced by the CISOs.

GAO completed its assessment at the request of U.S. Representatives Fred Upton (R-Mich.), Chairman of the Energy and Commerce Committee, and Tim Murphy (R-Pa.), who expressed concerns that “competition between operations and security…often led to security being deprioritized.” Their concerns were based on a report produced by their Committee that found pervasive security deficiencies at the U.S. Department of Health and Human Services.

The Superintendent of New York’s Department of Financial Services—the entity that published New York’s cybersecurity rule, and which is responsible for regulating thousands of financial companies—assured consumers that the rule employs “current principles” that provide the “flexibility necessary to ensure that institutions can efficiently adapt to continued innovations.”

Still, some experts have reportedly worried that the new requirements “could cost [banks] and insurers millions of dollars.” Concern over the high costs of cybersecurity is nothing new—following the Obama administration’s release of the Cybersecurity Framework in February 2014, companies and business groups grappled with the large investments that cybersecurity requires.

But the threat of cyber attack isn’t going anywhere, for companies or agencies. Shortly after releasing its CISO report, GAO found that agency cyber incidents had increased by around 1,300 percent over the last nine years, and the Ponemon Institute reported that the costs of cybercrime had increased by 82 percent over six years.