CISO Exchange falters over format and fees

Three days after forming as an advisory board with congratulations all around, the newly created Chief Information Security Officers Exchange stumbled, as its co-chairman, Rep. Tom Davis (R-Va.), said he was having second thoughts. A week later, the group had collapsed, as both Davis and the CIO Council, which had been an-nounced as the co-chairs, withdrew their support of the exchange late last week.“Neither Davis nor the Committee will have any role in the exchange,” said David Marin, deputy staff director for the House Government Reform Committee, which Davis chairs.The public-private partnership for federal CISOs began to teeter almost immediately after Davis and others raised concerns about the $75,000 fees being charged to its six industry board members.The CISO Exchange was formed to bring government and industry security specialists together to share in-sights and best practices, but some officials worried that the fees created the appearance of selling access to the eight high-level government officials on the board.“We were not aware of fees being charged,” said David Marin, deputy staff director for the House Government Reform Committee, which Davis chairs.Last week, CISO Exchange proponents were seeking new backers and a fresh structure to allay the concerns. One solution being considered would move it under the auspices of the Industry Advisory Council, a nonprofit group promoting communication between industry and government IT leaders.Davis said he is still looking for ideas for how to pursue the same goals. “We are always looking for ideas,” Marin said.Dan Matthews, vice chairman of the CIO Council, said the council also supports the general idea.“The CIO Council looks forward to establishing a chief information security officer exchange that is open and accessible to all members of the IT community in both the government and private sector,” he said.On April 11, a corporate advisory board member dropped out. Austin Yerks, president of business development of the federal sector for Computer Sciences Corp., cut his ties with the exchange, saying he had never officially signed up.“There was some preliminary discussion, but we never officially joined,” said Chuck Taylor, a spokesman for Yerks. “We share [Davis’] concerns.”The exchange was founded in February, at the same time the House Government Reform Committee released its annual report card on federal information security, giving most government agencies low grades.Davis had originally announced that he and the CIO Council would co-chair the exchange, represented, respectively, by Government Reform Committee staff director Melissa Wojciak and Justice Department CIO Vance Hitch.Stephen O’Keeffe, founder of public relations firm O’Keeffe & Company of Alexandria, Va., held a press conference at the FOSE 2005 trade show April 5 to announce other advisory board members: six federal chief information security officers from the Homeland Security, Defense, State, Treasury, Justice, and Housing and Urban Development departments, and “industry fellow” Ken Ammon, president of government solutions for NetSec Inc. of Herndon, Va. The group would hold four meetings a year, closed to the public, said O’Keeffe, who said the exchange would be a holding company of his management firm.Under the plan, integrators and IT solutions providers were invited to pay $75,000 for a seat on the advisory board. Vendors and other industry participants could pay either $25,000 or $5,000 for lesser levels of participation—but with no access to the meetings except for a few winners of a lottery.Less than 48 hours after the FOSE announcement, Davis stepped back, worried that the structure of the exchange would appear to give some industry participants exclusive access to him.O’Keeffe said the group’s structure is needed to break through a longstanding stalemate in im-proving federal information security, reflected by the consistently poor report card grades for such efforts given by Davis’ committee.“We’ve been at the status quo too long,” O’Keeffe said. “The CIO Council is frustrated. The CISOs are frustrated. We need to provide a forum to move this forward.“We’ve made every effort to structure this appropriately,” O’Keeffe said. “The fellows are integrators and service organizations, not vendors,” to avoid vendor bias. Furthermore, he said, “this is not a policy group, it’s operational.”Bob Woods, executive chairman of the Industry Advisory Council, said he was troubled by the idea of closed meetings and high fees.“These are closed meetings where you pay your way in, and a mix of people doing oversight and the people overseen,” Woods said. “The atmospherics don’t look good.”However, he said, “I don’t want to be too critical without knowing more about the group.”Woods said he was approached last week by several government officials, some of whom are members of the CISO Exchange, and asked informally to help salvage its mission by creating a Shared Industry Group within the council. The board was to begin considering the idea last week.O’Keeffe, in defending the exchange, repeatedly compared it to the FOSE trade show and other events that bring together industry and government executives.“The CISO Exchange represents a new model in public-private interaction and collaboration, and we are very proud of the construct,” O’Keeffe said. “There is a clear precedent for government executives participating in private-sector, sponsor-funded initiatives.”FOSE charges industry members for advertising and exhibiting at the convention center, where exhibitors hope to attract the attention of the more than 20,000 government employees and contractors who attend the how. But it has no advisory board, said David Greene, president of PostNewsweek Tech Media, which owns FOSE and publishes Government Computer News and Washington Technology.“What the industry representatives are buying is a chance to be at the conference, not an opportunity to sit on the board,” Greene said.