Feeds

•  Posts RSS
•  Comments RSS
• Subscribe via Email

Phone-Readable

Recent Comments

• Darren Couch on DHS is Looking for a CISO
• MMO Tag on Training for the Zombie Pandemic
• Sam Bowne on The Rise of the Slow Denial of Service
• jg on Apache Killer Effects on Target
• Apache Killer Effects on Target | The Guerilla CISO on The Rise of the Slow Denial of Service

What’s Hot

Tags

Categories

• Army (24)
• BSOFH (15)
• Cyberwar (7)
• DDoS (7)
• Diary of a Startup (3)
• DISA (9)
• FISMA (148)
• Flyfish (20)
• Hack the Planet (28)
• IKANHAZFIZMA (79)
• ISM-Community (15)
• NIST (93)
• Odds-n-Sods (117)
• Outsourcing (32)
• Public Policy (35)
• Rants (108)
• Risk Management (75)
• Speaking (32)
• Technical (93)
• The Guerilla CISO (80)
• Uncategorized (6)
• What Doesn't Work (87)
• What Works (112)
• Zombies (44)

Blogroll

• Amrit Williams
• Ascension Blog
• BackTrack
• Backwater Angler
• Chateau Blogsville
• Chris Hoff
• Cypher Punk Reading List
• Emergent Chaos
• Gunnar Peterson
• How Is That Assurance Evidence
• InfoSecAlways
• ISM-Community
• ISM-Community Blogs
• ISM-Community Combined Feed
• Jack Whitsitt
• Layer 8
• LOLFED
• Martin McKeay
• My Linux Blog
• NoVa InfoSec Portal
• Rich Smith
• Riskanalys.is
• Rob Newby
• Security Buddha
• Securosis
• Technology Liberation Front
• The New School of Information Security
• The Ninja CISO
• This is Fly
• TSSCI Security

Archives

• October 2012
• May 2012
• December 2011
• November 2011
• September 2011
• August 2011
• April 2011
• February 2011
• January 2011
• December 2010
• November 2010
• October 2010
• September 2010
• August 2010
• July 2010
• June 2010
• May 2010
• April 2010
• March 2010
• February 2010
• January 2010
• December 2009
• November 2009
• October 2009
• September 2009
• August 2009
• July 2009
• June 2009
• May 2009
• April 2009
• March 2009
• February 2009
• January 2009
• December 2008
• November 2008
• October 2008
• September 2008
• August 2008
• July 2008
• June 2008
• May 2008
• April 2008
• March 2008
• February 2008
• January 2008
• December 2007
• November 2007
• October 2007
• September 2007
• August 2007
• July 2007
• June 2007
• May 2007
• April 2007
• March 2007
• February 2007

Blog under the Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License

Learning GovieSpeak: The Plum Book

Posted July 17th, 2008 by rybolov

You were thinking this was part of the rainbow series, along with the orange book, the red book, and the fuchsia book, weren’t you?

Well, no, security dweebs, we’re on a public policy kick, probably will be until the end of the year (more on that to follow, stay tuned), so you wouldn’t be so lucky.

The Plum Book’s official title is Government Policy and Supporting Positions and basically it’s a huge staffing chart for the Senior Executive Service–the political appointees.  Congress publishes the Plum Book after each presidential election, so for those of us who remember our civics lessons in high school, that would be every 4 years, and the last one was published in 2004.

In fact, you can see the last edition here.  Caveat:  it’s dry, like the uber-trocken Franken white wine that grows in the fields around where I used to live in Germany–so dry that it sucks the moisture right out of you.

Plum Pickin photo by Secret Tenerife

Now why do we care about the Plum Book?  Well, that’s a good question.  Have a look at some of the staffing plans in the plum book, and you’ll see something missing:  Agency CISOs.

Now, I’m not a rocket scientist on org charts, but it seems to me that unless you put CISOs up to where they’re answerable to the agency head, they’re just a cost center inside the IT department with no visibility to the decision-makers.  Once again, we’ve crippled our security staffs like the old-school way of doing things.

On another note, taking a quick straw poll of the agency CISOs that I know, I think about half of them are political appointees, and half of them are GS-15s.  So what’s the difference?

Well, political appointees (SES) are appointed by the President.  They make a better target because they have much more visibility from the higher-ups they are more political in nature.

GS-scale employees are civil service careerists.  Usually these are the guys who have moved up the ranks in the various agencies and know quite a bit of things.

Which is better?  Well, if you want survivability, then GS-scale is the way to go.  If you want to make the most difference, SES is the ticket.

Most of us will never get the choice. =)

Similar Posts:

• On Government Employees, Culture, and Survivability
• It’s a Problem of Scale!
• Now ISC2 Blogs have an Opinion on FISMA
• Why We Need PCI-DSS to Survive
• Split-Horizon Assessments and the Oversight Effect

Posted in Odds-n-Sods, Rants | 3 Comments »
Tags: fisma • government • infosec • management • scalability • security

3 Responses

1.  Dan Philpott Says:
   July 17th, 2008 at 1:59 pm

   You have to love that plum colored cover. I’ve always wondered who picks the colors for these books. Additional information and linkage for the book can be found in today’s ObWiki link.

   As you point out there are some appointed CISOs, but they aren’t listed in the book as such. A quick review of the 2004 plum book has these titles which appear comparable with CISO positions:

   Associate Chief Information Officer for Cyber Security
   Associate Chief Information Officer for Security
   Associate Chief Information Officer, Cyber Security
   Associate Deputy Assistant Secretary for Cyber Security
   Director, Information Security
   Director, Information Security Oversight Office
   Director, Office of Cyber Security and Special Review

   The big problem here is how few CISO-type positions are listed, they are not present in every agency much less in each major component of the agencies. From a governance standpoint that’s a big impediment to sound management of IT security. If we could get a little more accountability and visibility by making the senior IT security positions appointed it could go a long way to enhancing the role of security in our organizations.

   Not to encourage the spoils system but there is a bonus for politicians in enhancing the appointment of CISOs. Techies might be more interested in your campaigns if the possibility of a distinguishing political appointment is an option. Besides, the Silicon Valley digerati could do with a little more integration into our body politic.

   Am I the only one who cringes every time the word ‘cyber’ is used in an official capacity?

2.  Vlad the Impaler Says:
   July 22nd, 2008 at 3:27 pm

   Dude,

   Last thing we need are congress(people) choosing CISOs. Hopefully the political appointees will keep the incumbent, or if not, seek the advice of folks at the agency as to who should have the job.

   Bottom Line: CISOs should not be political appointees.

   …and no, you’re not the only one who reacts to the word ‘cyber’ like fingernails on a blackboard…

   (I can hear Beavis and Butthead now… “He said cyber… uh, huuh, huuuuuh…”)

3.  rybolov Says:
   July 23rd, 2008 at 12:30 am

   Hi guys

   Just a reminder, “Political Appointee” does not always equal “Confirmed by Congress”. Even then, at the CISO level they don’t really grill you like they would the Secretary of DHS.

Leave a Comment