CIO Council says no to CISO Exchange

The CIO Council is formally separating itself from a for-profit forum for government and private-sector chief information security officers (CISOs), according to a statement released today by council Director Karen Evans.

Council members voted April 13 to recommend to Evans that the council formally withdraw membership from the CISO Exchange, a for-profit effort spearheaded by O’Keeffe and Co., a Northern Virginia marketing and public relations firm. Evans, also the Office of Management and Budget's administrator for e-government and information technology, accepted the council’s recommendation, an OMB release states.

The CISO Exchange has come under fire by government and industry officials for appearing to sell influence over government policy formulation. Steve O’Keeffe, principal of the company, could not be reached for comment.

Part of the council’s recommendation is that its Best Practices Committee begin addressing how to improve agency grades in an annual score card on federal cybersecurity. The council will establish an open and accessible forum for the IT community, states a separate release from CIO Council Vice Chairman Dan Matthews.

Among the possibilities council members are discussing is issuing a general call for white papers on federal cybersecurity and holding a symposium on the best ones.

Government officials have also approached the Industry Advisory Council about creating a CISO forum, IAC Chairman Bob Woods told Federal Computer Week April 12. He could not be reached for comment today.

The council’s announcement comes almost a week after Rep. Tom Davis (R-Va.) said he and his staff would officially withdraw from the CISO Exchange. In addition to the CIO Council, O'Keeffe had pointed to Davis, chairman of the House Government Reform Committee, as an exchange sponsor.

A major cause of the controversy surrounding the CISO Exchange is the perception of an inappropriate link between the group's paying members and government policy-makers.

Among the exchange's planned efforts is an annual report on cybersecurity reports. Full industry participation in the exchange costs $75,000 and is limited to six systems integrator representatives. Other industry officials can join for $25,000 or $5,000, with varying levels of access and authority over exchange efforts. Critics have said reports from a group that includes members of the CIO Council and Davis staff could be perceived to be government policy documents.