Learning GovieSpeak: The Plum Book

Posted July 17th, 2008 by

You were thinking this was part of the rainbow series, along with the orange book, the red book, and the fuchsia book, weren’t you?

Well, no, security dweebs, we’re on a public policy kick, probably will be until the end of the year (more on that to follow, stay tuned), so you wouldn’t be so lucky.

The Plum Book’s official title is Government Policy and Supporting Positions and basically it’s a huge staffing chart for the Senior Executive Service–the political appointees.  Congress publishes the Plum Book after each presidential election, so for those of us who remember our civics lessons in high school, that would be every 4 years, and the last one was published in 2004.

In fact, you can see the last edition here.  Caveat:  it’s dry, like the uber-trocken Franken white wine that grows in the fields around where I used to live in Germany–so dry that it sucks the moisture right out of you.

Plum Pickin

Plum Pickin photo by Secret Tenerife

Now why do we care about the Plum Book?  Well, that’s a good question.  Have a look at some of the staffing plans in the plum book, and you’ll see something missing:  Agency CISOs.

Now, I’m not a rocket scientist on org charts, but it seems to me that unless you put CISOs up to where they’re answerable to the agency head, they’re just a cost center inside the IT department with no visibility to the decision-makers.  Once again, we’ve crippled our security staffs like the old-school way of doing things.

On another note, taking a quick straw poll of the agency CISOs that I know, I think about half of them are political appointees, and half of them are GS-15s.  So what’s the difference?

Well, political appointees (SES) are appointed by the President.  They make a better target because they have much more visibility from the higher-ups they are more political in nature.

GS-scale employees are civil service careerists.  Usually these are the guys who have moved up the ranks in the various agencies and know quite a bit of things.

Which is better?  Well, if you want survivability, then GS-scale is the way to go.  If you want to make the most difference, SES is the ticket.

Most of us will never get the choice. =)

Similar Posts:

Posted in Odds-n-Sods, Rants | 3 Comments »

3 Responses

  1.  Dan Philpott Says:

    You have to love that plum colored cover. I’ve always wondered who picks the colors for these books. Additional information and linkage for the book can be found in today’s ObWiki link.

    As you point out there are some appointed CISOs, but they aren’t listed in the book as such. A quick review of the 2004 plum book has these titles which appear comparable with CISO positions:

    Associate Chief Information Officer for Cyber Security
    Associate Chief Information Officer for Security
    Associate Chief Information Officer, Cyber Security
    Associate Deputy Assistant Secretary for Cyber Security
    Director, Information Security
    Director, Information Security Oversight Office
    Director, Office of Cyber Security and Special Review

    The big problem here is how few CISO-type positions are listed, they are not present in every agency much less in each major component of the agencies. From a governance standpoint that’s a big impediment to sound management of IT security. If we could get a little more accountability and visibility by making the senior IT security positions appointed it could go a long way to enhancing the role of security in our organizations.

    Not to encourage the spoils system but there is a bonus for politicians in enhancing the appointment of CISOs. Techies might be more interested in your campaigns if the possibility of a distinguishing political appointment is an option. Besides, the Silicon Valley digerati could do with a little more integration into our body politic.

    Am I the only one who cringes every time the word ‘cyber’ is used in an official capacity?

  2.  Vlad the Impaler Says:


    Last thing we need are congress(people) choosing CISOs. Hopefully the political appointees will keep the incumbent, or if not, seek the advice of folks at the agency as to who should have the job.

    Bottom Line: CISOs should not be political appointees.

    …and no, you’re not the only one who reacts to the word ‘cyber’ like fingernails on a blackboard…

    (I can hear Beavis and Butthead now… “He said cyber… uh, huuh, huuuuuh…”)

  3.  rybolov Says:

    Hi guys

    Just a reminder, “Political Appointee” does not always equal “Confirmed by Congress”. Even then, at the CISO level they don’t really grill you like they would the Secretary of DHS.

Leave a Comment

Please note: Comment moderation is enabled and may delay your comment. There is no need to resubmit your comment.

Visitor Geolocationing Widget: