IT security remains a top concern of US government CIOs, but it’s also an area where they’re making much progress, according to a survey released recently by the Information Technology Association of America.
CIOs told the ITAA, a trade group based in Virginia, that they made progress in certifying their IT systems, training IT workers and other employees about cybersecurity, and setting up IT security policies during 2006, says Paul Wohlleben, chairman of ITAA’s CIO survey project.
Even as multiple reports of missing government laptops and other devices containing personal information came to light last year, federal CIOs said they’re making “incremental progress” toward achieving federal cybersecurity mandates, Wohlleben says.
CIOs, responding in face-to-face surveys during which they were promised anonymity, told ITAA they’re also making progress integrating security into their information architecture, instead of “bolting on” security afterward, he says.
And CIOs say they’ve made progress implementing information privacy programs, although in many cases, the progress was simply getting a privacy programme off the ground, Wohlleben says. “Quite frankly, there’s not a lot of maturity out there,” he says of privacy programmes. “For a lot of agencies, they’re really taking credit for getting this started. Some things take quite a while to achieve in the federal space.”
The survey of 47 government CIOs or related officials found some frustration with agency information security practices, Wohlleben says. Many CIOs say they don’t have authority over personal inventory rules covering devices such as laptops, even though the high-profile breaches last year involved laptops, hard drives or other similar devices. “There’s a wide range of devices that are not even under the CIOs’ control,” he says.
In May, the US Department of Veterans Affairs announced that a laptop and hard drive containing the personal information of 26.5 million military veterans and family members had been stolen from an employee’s home. Police later recovered the hardware, but the theft set off a series of hearings in Congress about information security practices at the VA and other federal agencies.
Some CIOs talked about efforts to encrypt information on devices, and others talked about disabling devices such as flash drives, Wohlleben says. “There’s that tension between efficiency and security,” he says. “All the CIOs are dealing with that every day.”
In addition to lost devices, CIOs expressed concern about network intrusions, Wohlleben says. There’s a fear of the unknown — that they’re “not in total or near-total control”, he says.
Among other issues federal CIOs identified as top challenges in the past year were enterprise management of IT and enterprise applications. CIOs want to see better IT management processes and tools, and they see the need for better project management.
They report that efforts to modernise application systems pose difficult challenges. Projects are complex, requiring improvement to project management and governance capabilities.
In addition to IT security, among the issues CIOs identified as achievements was consolidating IT infrastructure. CIOs reported progress in consolidating IT infrastructure into a common, centrally managed platform, ITAA says.