US agency CIOs: IT security remains top concern

IT security remains a top concern of U.S. government chief information officers, but it's also an area where they're making much progress, according to a survey released Monday by the Information Technology Association of America.

CIOs told the ITAA, a trade group based in Arlington, Virginia, that they made progress in certifying their IT systems, training IT workers and other employees about cybersecurity, and setting up IT security policies during 2006, said Paul Wohlleben, a partner with Grant Thornton LLP's Global Public Sector, and chairman of ITAA's CIO survey project.

Even as multiple reports of missing government laptops and other devices containing personal information came to light last year, federal CIOs said they're making "incremental progress" toward achieving federal cybersecurity mandates, Wohlleben said.

CIOs, responding in face-to-face surveys during which they were promised anonymity, told ITAA they're also making progress integrating security into their information architecture, instead of "bolting on" security afterward, he said.

And CIOs said they've made progress implementing information privacy programs, although in many cases, the progress was simply getting a privacy program off the ground, Wohlleben said. "Quite frankly, there's not a lot of maturity out there," he said of privacy programs. "For a lot of agencies, they're really taking credit for getting this started. Some things take quite a while to achieve in the federal space."

The survey , made up of 47 government CIOs or related officials, found some frustration with agency information security practices, Wohlleben said. Many CIOs said they don't have authority over personal inventory rules covering devices such as laptops, even though the high-profile breaches last year involved laptops, hard drives or other similar devices. "There's a wide range of devices that are not even under the CIOs' control," he said.

In May, the U.S. Department of Veterans Affairs announced that a laptop and hard drive containing the personal information of 26.5 million military veterans and family members had been stolen from an employee's home. Police later recovered the hardware, but the theft set off a series of hearings in Congress about information security practices at the VA and other federal agencies.

Some CIOs talked about efforts to encrypt information on devices, and others talked about disabling devices such as flash drives, Wohlleben said. "There's that tension between efficiency and security," he said. "All the CIOs are dealing with that every day."

In addition to lost devices, CIOs expressed concern about network intrusions, Wohlleben said. There's a fear of the unknown -- that they're "not in total or near-total control," he said.

Among other issues federal CIOs identified as top challenges this past year:

-- Enterprise management of IT: CIOs want to see better IT management processes and tools, and they see the need for better project management.

-- Enterprise applications: CIOs say that efforts to modernize application systems pose difficult challenges. Projects are complex, requiring improvement to project management and governance capabilities.

In addition to IT security, among the issues CIOs identified as achievements was consolidating IT infrastructure. CIOs reported progress in consolidating IT infrastructure into a common, centrally managed platform, ITAA said.