What CISOs Have Been Waiting For

When NASA's chief information security officer issued a memo on Tuesday directing network managers to stop writing reports on certifying systems complied with a security law and instead focus on canning systems for ways hackers could infiltrate their systems, you could hear security experts exhale a big sigh of relief. This is huge. One security expert told Nextgov that this is what they've been working toward for the past 15 years.

Jerry Davis, NASA's CISO who sent the memo out, did what many security execs in government probably would like to but just didn't have the political cover for. FISMA just hasn't worked, as he told Nextgov (without uttering the name of the law), and he knew what would: Focus on where your holes are in the system and patch those. Keep on top of the new threats and make sure -- in real time -- that your networks are protected against those.

The reporting requirements, which could take weeks and months to complete, have cost agencies a lot -- upwards of $10 million at NASA, and $133 million at the State Department, where John Streufert, chief information security officer at the department, did something similar and has shown real progress in tightening down systems there.

But more importantly, it has cost agencies data and information that has been lost. Several federal security execs and chief information officers have told me that what the U.S. government has lost from computer systems that are as porous as a sponge is unfathomable. Five years ago, one top expert told me that anything worth protecting has already been stolen.

Davis and Streufert have blazed a new trail. Congress is poised to act. Expect more CISOs to follow. As another security professional said, "Remember this day."