Seeking risk managers

Federal agencies could be missing the point when they move senior information technology officials into positions in which they are responsible for information security.

By requiring chief information security officers (CISOs) to report to agencies’ chief information officers, federal officials are treating information security as an IT problem, which may be the wrong approach, said Paul Proctor, vice president for security and risk strategies at META Group, now owned by Gartner.

“One of the fundamental things they’re missing here is that security and risk management are not technical IT problems,” Proctor said.

Executives at private-sector companies are beginning to look for people who have risk management experience in addition to, or in lieu of, IT experience when they hire senior information security officials, he said.

It is a demand that will only continue to grow. Forrester Research analysts estimate that 75 percent of the largest companies will have a chief risk officer by 2007.

But whether the private-sector trend toward hiring risk managers with business experience will take hold in the federal sector is uncertain. The E-Government Act of 2002 gives federal CIOs responsibility for information security and the authority to delegate that responsibility to a senior agency official.

Many senior security officials agree that questions about the appropriate career path for CISOs will demand answers as the need grows for more people to fill such positions. “The security field is growing — that’s the good news,” said Jane Norris, CISO at the State Department. “The bad news is where are we going to get all these people.”

She pointed to a recent study conducted by the International Information Systems Security Certification Consortium, which certifies information security officials’ training. According to the study, senior officials expect employment for people in information security positions to increase at a compound annual growth rate of 14 percent between now and 2008.

The same report projects slower growth in IT employment, stating that it will increase at a compound annual rate of only 5 percent to 8 percent in the same period.

Some federal agencies are committed to seeing that the next generation of CISOs has the advantages of academic degree programs tailored to computer and information security. For example, since 2001, the National Science Foundation, with funding from the Homeland Security Department, has given student scholarships and institutional grants to colleges and universities that offer degree programs in the emerging field known as information assurance.

“Students who are coming out of school now are having the benefit of entire programs focused on information assurance, and that’s not the way it used to be,” said Diana Gant, director of the NSF’s Federal Cyber Service Scholarship for Service Program.

The course offerings are interdisciplinary and usually include management and operations courses, she said.