Posts RSS
Subscribe via Email
The Press has Me all Confused
Posted December 4th, 2008 by rybolov
So, what’s the deal? Have a look through the following articles:
- Cybereye | Has FISMA improved IT security? Maybe: It is safe to say we are better off than we would have been without it
- Melding Security
- Experts tackle guidance to stop cyberattacks
- Staffer: FISMA bill will pass in the next Congress
And wow, you would think that either the anti-FISMA cabal was on strike this month. Even Alan Paller’s comments are toned down. What gives?
But then again, maybe it’s just all part of the transition honeymoon–if you say things enough times, then eventually somebody picks up on it and recommends it to a committee and then it’s true.
My Bike the Transition Bottlerocket photo by Tom Grundy Photo.
Now at this point I start to get cynical, and here is why. Everybody agrees that cybersecurity (been working with the Government for too long, I don’t even cringe at the word) is this phenomenally important thing that we all should do something about. But since it’s a cost, for the most part it never actually happens.
In other words, it’s exactly the same problem that CISOs in private enterprise, the banking industry, and insurance has been dealing with for a “long” time: everybody wants security, but they don’t want to pay for it.
And the last article I have to give y’all today is this one from CIO.com. Programs and ideas are great and all, but the CISO inside me knows that things won’t get done until there is a budget behind it. That’s why the National Strategy to Secure Cyberspace hasn’t gone much of anywhere until the standup and subsequent funding of the National Cybersecurity Division and the National Infrastructure Protection Plan (yes, you could argue that they need much more funding than they currently have, but you can’t stand up something that big that fast).
Maybe I’ve come back around to the classic argument: talk is cheap, security isn’t. And when transition fever comes to the Beltway, everybody has something to talk about. =)
Similar Posts:
Posted in FISMA, Rants | 
2 Comments »
Tags: comments • fisma • government • infosec • management • moneymoneymoney • publicpolicy • security
December 5th, 2008 at 9:57 am
Then I’ll go ahead and say it. FISMA has squandered massive amounts of resources on measuring the wrong things in the wrong way. It is compliance for the sake of compliance with practically nothing to do with security. Our systems have been thoroughly compromised, even the ones in agencies with a silly “A” grade, because FISMA measures compliance, not security. FISMA has been a waste of resources from Day One, but there is a shred of hope that a new FISMA and a new administration might actually get it right.
December 8th, 2008 at 6:06 pm
I tend to disagree, and my argument is scattered throughout my blog.
However, the only thing I’ll comment right now is that I don’t believe the solution to regulation problems is more regulation.