Is an emphasis on compliance hampering IT security? -- FCW

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head><script type="text/javascript" src="/_static/js/bundle-playback.js?v=HxkREWBo" charset="utf-8"></script> <script type="text/javascript" src="/_static/js/wombat.js?v=txqj7nKC" charset="utf-8"></script> <script>window.RufflePlayer=window.RufflePlayer||{};window.RufflePlayer.config={"autoplay":"on","unmuteOverlay":"hidden"};</script> <script type="text/javascript" src="/_static/js/ruffle/ruffle.js"></script> <script type="text/javascript"> __wm.init("https://web.archive.org/web"); __wm.wombat("http://fcw.com:80/articles/2013/05/10/cybereye-auditor-security.aspx","20130630035805","https://web.archive.org/","web","/_static/", "1372564685"); </script> <link rel="stylesheet" type="text/css" href="/_static/css/banner-styles.css?v=S1zqJCYt" /> <link rel="stylesheet" type="text/css" href="/_static/css/iconochive.css?v=3PDvdIFv" />  <title>Is an emphasis on compliance hampering IT security? -- FCW</title> <meta name="description" content="Top-level agency leaders are often unaware of the risks their agencies face -- and content to remain that way, argues NARA's CISO."> <meta name="keywords" content="Leo Scanlon, chief information security officer, National Archives and Records Administration, (ISC)2, Federal Information Security Management Act, FISMA">  <link rel="shortcut icon" href="/web/20130630035805im_/http://fcw.com/design/gig/fcw/2012/img/favicon.ico" type="image/x-icon"/>  <script type="text/javascript"> var _gaq = _gaq || []; _gaq.push(['_setAccount', 'UA-6779162-2']); _gaq.push(['_trackPageview']); (function() { var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true; ga.src = ('https:' == document.location.protocol ? 'https://web.archive.org/web/20130630035805/https://ssl' : 'https://web.archive.org/web/20130630035805/http://www') + '.google-analytics.com/ga.js'; var s = document.getElementsByTagName('script')[0];s.parentNode.insertBefore(ga, s); })(); </script>  <link rel="shortcut icon" href="/web/20130630035805im_/http://fcw.com/design/gig/fcw/2012/favicon.ico" type="image/x-icon"/> <link rel="icon" type="image/png" href="/web/20130630035805im_/http://fcw.com/design/gig/fcw/2012/favicon.png"> <link rel="stylesheet" href="/web/20130630035805cs_/http://fcw.com/design/gig/fcw/2012/css/style.css"> <style> .imageCap img {background-color: transparent!important;} </style> <link rel="stylesheet" href="/web/20130630035805cs_/http://fcw.com/design/gig/fcw/2012/css/bx_styles.css"> <link rel="stylesheet" href="/web/20130630035805cs_/http://fcw.com/design/gig/fcw/2012/css/jquery.mCustomScrollbar.css" type="text/css"/>    <script type="text/javascript" src="/web/20130630035805js_/http://fcw.com/design/global/js/core.js"></script> <script src="/web/20130630035805js_/http://fcw.com/design/gig/fcw/2012/js/login.js" type="text/javascript"></script> <script src="https://web.archive.org/web/20130630035805js_/http://ajax.googleapis.com/ajax/libs/jquery/1.7/jquery.min.js"></script> <script src="https://web.archive.org/web/20130630035805js_/http://ajax.googleapis.com/ajax/libs/jqueryui/1.8/jquery-ui.min.js"></script> <script src="/web/20130630035805js_/http://fcw.com/design/gig/fcw/2012/js/jquery.mCustomScrollbar.min.js"></script> <script src="/web/20130630035805js_/http://fcw.com/design/gig/fcw/2012/js/jquery.mousewheel.min.js"></script> <script src="/web/20130630035805js_/http://fcw.com/design/gig/fcw/2012/js/jquery.bxSlider.js" type="text/javascript"></script> <script src="https://web.archive.org/web/20130630035805js_/http://design.1105media.com/sitecore/components/wireframes/gig/martin/temporary/jquery.widowFix-1.3.2.js" type="text/javascript"></script> <script type="text/javascript"> $(document).ready(function(){ $('#slider').bxSlider({displaySlideQty: 3,moveSlideQty: 1,autoControls: true}); $('.relatedSpecific').after("<br class='clear'>"); $('#extraContent table').before("<br class='clear'>"); $(".day").mCustomScrollbar(); $('h1,h2,h3,h4,li h3').each(function() { $(this).html($(this).html().replace(/\s([^\s<]+)\s*$/,' $1')); }); $('#xContentTop .featuredBlog ul li h3').widowFix();}); </script> </head> <body id="Body1"> <form name="form1" method="post" action="cybereye-auditor-security.aspx" id="form1"> <input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDwUKMTA4NzAwNDg5OA9kFgQCAQ9kFgYCAQ8WAh4EVGV4dAU6SXMgYW4gZW1waGFzaXMgb24gY29tcGxpYW5jZSBoYW1wZXJpbmcgSVQgc2VjdXJpdHk/IC0tIEZDV2QCAw8WAh8ABYwBY29udGVudD0iVG9wLWxldmVsIGFnZW5jeSBsZWFkZXJzIGFyZSBvZnRlbiB1bmF3YXJlIG9mIHRoZSByaXNrcyB0aGVpciBhZ2VuY2llcyBmYWNlIC0tIGFuZCBjb250ZW50IHRvIHJlbWFpbiB0aGF0IHdheSwgYXJndWVzIE5BUkEncyBDSVNPLiJkAgUPFgIfAAWjAWNvbnRlbnQ9IkxlbyBTY2FubG9uLCBjaGllZiBpbmZvcm1hdGlvbiBzZWN1cml0eSBvZmZpY2VyLCBOYXRpb25hbCBBcmNoaXZlcyBhbmQgUmVjb3JkcyBBZG1pbmlzdHJhdGlvbiwgKElTQykyLCBGZWRlcmFsIEluZm9ybWF0aW9uIFNlY3VyaXR5IE1hbmFnZW1lbnQgQWN0LCBGSVNNQSJkAhEPZBYCAgEPZBYKAokBD2QWBGYPZBYCZg9kFgICAQ9kFgICAQ8PFgIeC05hdmlnYXRlVXJsBUYvRm9ybXMvRW1haWxJdGVtLmFzcHg/RW1haWxJdGVtPXs2RjUyNTM3MS0zQjMzLTRDNDctOUREMi0yN0I0OEU1RDZCRjd9ZGQCAQ9kFgJmD2QWAgIBD2QWAgIBDw8WAh8BBUVodHRwOi8vZmN3LmNvbS9BcnRpY2xlcy8yMDEzLzA1LzEwL2N5YmVyZXllLWF1ZGl0b3Itc2VjdXJpdHkuYXNweD9wPTFkZAKRAQ9kFgJmD2QWAmYPZBYCAgEPZBYGAgEPD2QWBB4Hb25Gb2N1cwUqRm9jdXNTZWFyY2hCb3goJ3BoX3Njb250ZW50Ml8wX3R4dFNlYXJjaCcpHgZvbkJsdXIFD0JsdXJTZWFyY2hCb3goKWQCAw8QDxYCHgdWaXNpYmxlZ2QPFgFmFgEQBQNGQ1cFB0ZDV19XZWJnZGQCBw8WBB4JaW5uZXJodG1sBUc8YSBocmVmPSJodHRwOi8vZmN3LmNvbS9Gb3Jtcy9BZHZhbmNlZC1TZWFyY2guYXNweCI+QWR2YW5jZWQgU2VhcmNoPC9hPh8EZ2QCmwEPZBYCZg9kFgJmD2QWAmYPZBYCAgUPFCsAAmRkZAKvAQ9kFgJmD2QWAmYPZBYCZg9kFgJmD2QWAgIBD2QWBgIBDxYCHwUFD1JlYWRlciBjb21tZW50c2QCAg8UKwACDxYEHgtfIURhdGFCb3VuZGceC18hSXRlbUNvdW50AgVkZBYCZg9kFgoCAQ9kFgoCAQ8WAh8ABRBjbGFzcz0ic3RhbmRhcmQiZAIDDxYCHwAFEVRodSwgTWF5IDMwLCAyMDEzZAIFDxYCHwBlZAIHDxYCHwBlZAIJDxYCHwAF7wFUaGVyZSdzIG5vIGNvbnNlcXVlbmNlcyBmb3IgbW9zdCBDSU9zIGFuZCBhZ2VuY3kgY2hpZWZzIHdobyBkbyBub3QgZm9sbG93IHRoZSBzZWN1cml0eSByZWNvbW1lbmRhdGlvbnMgb2YgdGhlaXIgb3duIGFnZW5jaWVzLiBTY2FubG9uIGtub3dzIHRoaXMuIEhpcyByZXBvcnRzIGhhdmUgc2hvd24gdGhlIHNhbWUgc2hvcnRjb21pbmdzIGF0IE5BUkEgeWVhciBhZnRlciB5ZWFyLCB5ZXQgbm90aGluZyBnZXRzIGRvbmUuIGQCAg9kFgoCAQ8WAh8ABRBjbGFzcz0ic3RhbmRhcmQiZAIDDxYCHwAFEVR1ZSwgTWF5IDE0LCAyMDEzZAIFDxYCHwAFBEFub25kAgcPFgIfAGVkAgkPFgIfAAXLAiJSaXNrIG1hbmFnZW1lbnQgdWx0aW1hdGVseSBpcyBhIGJ1c2luZXNzIGRlY2lzaW9uIHRoYXQgbXVzdCBiZSBtYWRlIGF0IHRoZSBDSU8gb3IgQ0VPIGxldmVsIG9mIGFuIGFnZW5jeSwgbm90IGJ5IHRoZSBJVCBwZW9wbGUgaW4gdGhlIHNlY3VyaXR5IHNob3AiCgpBbmQgd2hvIHByb3ZpZGVzIHRoZSBwcmVzZW50YXRpb25zIHRvIGVkdWNhdGUgdGhlIGJhcmVseSB0ZWNobmljYWxseSBsaXRlcmF0ZSBDSU8gYW5kIG9yIENFTz8gIFllcCwgdGhlIElUIGFuZCBzZWN1cml0eSBwZW9wbGUgd2l0aCB0aGUgYWdlbmRhcy4gCgpTaWxseSBDSU8sIHRyaWNrcyBhcmUgZm9yIGtpZHMuLi5kAgMPZBYKAgEPFgIfAAUQY2xhc3M9InN0YW5kYXJkImQCAw8WAh8ABRFUdWUsIE1heSAxNCwgMjAxM2QCBQ8WAh8AZWQCBw8WAh8AZWQCCQ8WAh8ABdcCU2VjdXJpdHkgcGVvcGxlIHRlbmQgdG8ga25vdyB0aGUgbGVhc3QgYWJvdXQgdGVjaG5vbG9neSBhbmQgb3BlcmF0ZSBpbiBmZWFyLiBUaGV5IGJlbGlldmUgbWl0aWdhdGlvbiBtZWFucyBlbGltaW5hdGlvbiBvZiByaXNrLCBhIGZvb2wncyBlcnJhbmQuICBXb3JzZSwgdGhleSBwdXNoIHRoZWlyIGFnZW5kYSBpbiB0aGUgbmFtZSBvZiAic2VjdXJpdHkiIGJ5IGRyb3BwaW5nIHRoZSAic2VjdXJpdHkgY2FyZCIgd2hlbiBhIGJ1c2luZXNzIG5lZWQgaXMgZWl0aGVyIHVubWV0IG9yIHJlcXVpcmVzIHNvbWV0aGluZyBmdW5jdGlvbmFsbHkgZGlmZmVyZW50IHRoYW4gd2hhdCBzZWN1cml0eSB3YW50cy4gIGQCBA9kFgoCAQ8WAh8ABRBjbGFzcz0ic3RhbmRhcmQiZAIDDxYCHwAFEU1vbiwgTWF5IDEzLCAyMDEzZAIFDxYCHwAFBkpvaG4gZ2QCBw8WAh8AZWQCCQ8WAh8ABdYBIkMtbGV2ZWwgb2ZmaWNpYWxzIGRvIG5vdCBrbm93IGlmIHRoZWlyIHNlY3VyaXR5IGlzIGFkZXF1YXRlIGJlY2F1c2UgdGhleSBkbyBub3QgdW5kZXJzdGFuZCIKLSB0aGF0cyB0aGUgc3RvcnkgbW9zdCBDJ2xldmVsIGZvbGtzIGhhdmVuJ3QgYSBjbHVlIGFib3V0IHNvZnR3YXJlLCBtdWNoIGxlc3MgY3VycmVudCBzb2Z0d2FyZSBhbmQgaG93IHRvIGtlZXAgaXQgc2VjdXJlIGQCBQ9kFgoCAQ8WAh8ABRBjbGFzcz0ic3RhbmRhcmQiZAIDDxYCHwAFEVN1biwgTWF5IDEyLCAyMDEzZAIFDxYCHwBlZAIHDxYCHwBlZAIJDxYCHwAFkQdBc2sgdGhlIFZBIGhvdyBnaXZpbmcgdHdvIGNhcmVzIGFib3V0IHNlY3VyaXR5IGhhcyB0dXJuZWQgb3V0IGZvciBJVC4gIFllYWgsIHNvbWVib2R5IGlzIGhhcHB5LCBidXQgaXQgbmV2ZXIgbWFrZXMgdGhlIHBlb3BsZSBpbiB0aGUgYnVzaW5lc3Mgd2hvIGFyZSB0aGVyZSB0byBkbyBhIGpvYiAob3RoZXIgdGhhbiBzZWN1cml0eSBicm93bmllIHBvaW50cyBmb3IgY29uZ3Jlc3MpIGdldCB0aGVpciBqb2IgZG9uZS4gIFNvIHVudGlsIGNvbmdyZXNzIGFuZCB0aGUgUHJlZGlkZW50IHNheSB0aGF0IHNlY3VyaXR5IGlzIG1vcmUgaW1wb3J0YW50IHRoYW4gdGhlIGZ1bmRpbWVudGFsIGpvYiB0aGUgYWdlbmN5IGlzIHRoZXJlIHRvIGRvLCB0aGlzIGlzIGFsbCBidW5rLiAgQW5kIHdoZW4gQ29uZ3Jlc3MgYW5kIHRoZSBQcmVzaWRlbnQgc2F5IHRoYXQgc2VjdXJpdHkgaXMgaW1wb3J0YW50LCB0aGV5IHNob3VsZCBzYXkgd2hhdCB0aGV5J3JlIHdpbGxpbmcgdG8gcGF5IHRvIG1lZXQgaXQuICBMZXQgcHJvZHVjdGl2aXR5IGluIHRoZSByb290IGFyZWFzIG9mIHRoZSBidXNpbmVzcywgYWRkZWQgcGVvcGxlLCBhZGRlZCBjb3N0cy4gIEl0J3Mgc2ltcGxlLCBzZWN1cml0eSBpcyBwb3B1bGFyLCB0aGF0J3MgYWJvdXQgaXQuICBPdGhlciB0aGFuIHRvbnMgb2Ygd2FzdGVkIGRvbGxhcnMgdG8gcGF5IGZvciB1c2xlc3MgcHJvZ3JhbXMgYW5kIHBlb3BsZSB0byByZXBvcnQgYWxsIHRoZSB0aGluZ3MgZm9sa3MgYXJlbid0IGRvaW5nLCBpdCdzIGp1bmsuICBXZSBuZWVkIHRvIHF1aXQgcHJldGVuZGluZyB0byB3YW50IHNlY3VyaXR5IGxpa2UgdGhlIENJQSBhbmQgTlNBIGhhdmUgYW5kIG5vdCBiZSB3aWxsaW5nIHRvIGxvY2stZG93biB0aGUgYWdlbmN5IGFuZCB0aGUgZGF0YSB0aGV5IHdheSB0aGV5IGhhdmUuZAIEDw8WAh8EaGRkAssBD2QWAmYPZBYCAgEPFgIfAAXBBCAKPHA+PGEgaHJlZj0iaHR0cDovL3d3dy4xMTA1Z292aW5mby5jb20vIiB0YXJnZXQ9Il9ibGFuayI+PGltZyBib3JkZXI9IjAiIGFsdD0iMTEwNSBHb3Zlcm5tZW50IEluZm9ybWF0aW9uIEdyb3VwIExvZ28iIHNyYz0ifi9tZWRpYS9HSUcvR0lHJTIwTG9nb3MvMTEwNWxvZ29fd2Vic2l0ZS5hc2h4IiB3aWR0aD0iMTM2IiBoZWlnaHQ9IjI2Ij4gPC9hPjxicj48YnI+ODYwOSBXZXN0d29vZCBDZW50ZXIgRHJpdmUsIFN1aXRlIDUwMDxicj5WaWVubmEsIFZBIDIyMTgyLTIyMTUgPGJyPjcwMy04NzYtNTEwMDxicj4KPHA+wqkgMTk5Ni0yMDEzIDExMDUgTWVkaWEsIEluYy4gQWxsIFJpZ2h0cyBSZXNlcnZlZC4gVGhpcyBjb3B5IGlzIGZvciB5b3VyIHBlcnNvbmFsLCBub24tY29tbWVyY2lhbCB1c2Ugb25seS48YnI+VG8gb3JkZXIgcHJlc2VudGF0aW9uLXJlYWR5IGNvcGllcyBmb3IgZGlzdHJpYnV0aW9uIHRvIGNvbGxlYWd1ZXMsIGNsaWVudHMgb3IgY3VzdG9tZXJzLCB2aXNpdDogPGEgaHJlZj0iaHR0cDovL3d3dy4xMTA1cmVwcmludHMuY29tLyI+d3d3LjExMDVSZXByaW50cy5jb208cD48L2E+PC9wPjwvcD5kGAUFHXBoX2V4dHJhY29udGVudDJfMCRDb21tZW50c0xWDzwrAAoCBzwrAAUACAIFZAUocGhfcGNvbnRlbnQyXzAkQXJ0aWNsZUxvZ0luJGxzdFJlZ0Nob2ljZQ9nZAUZcGhfcGNvbnRlbnQyXzAkQXV0aG9ySW5mbw9nZAUZcGhfeGNvbnRlbnQyXzAkbHZJdGVtTGlzdA9nZAUmcGhfcGNvbnRlbnQyXzAkTGlzdFZpZXdBc3NvY2lhdGVkRmlsZXMPZ2QgPcTXQSQpFPwvsVus2moGadOsWA=="/> <script language="javascript" type="text/javascript"> var id = ''; function FocusSearchBox(ctl) { id = ctl;} function BlurSearchBox() { id = '';} document.onkeypress = function disableKey(e) { var evtobj = window.event ? event : e;var unicode = evtobj.charCode ? evtobj.charCode : evtobj.keyCode;if (unicode == 13) {if (id == '') {window.event.keyCode = 0;} else {document.getElementById("hdnSearch").value = id;document.getElementById(id.replace("txt", "btn")).click();} } } </script> <script src="/web/20130630035805js_/http://fcw.com/ScriptResource.axd?d=lA4YcjqYGqEtyoU9SXv1fQNKpBVAd6uY2C59BfMJQTQ9nr7Lr6gxPie6DPWr94TstFBGwfF2UXhKpdYzXUsQ-WVmHM4v8Czi7POlmms2P0tIAYy0_EKlV3DxrXSWozwLP8RJ1gBcASOW15ht9rI28NaFfdkyWcTVyUMRpmy8LWEqVrXz0&t=ffffffffb868b5f4" type="text/javascript"></script> <div id="wrapper"> <script type="text/javascript"> var gIntersitial = 20000 ; </script> <div id="intersitialMask"></div> <div id="intersitial"> <div class="adClose"><a id="adclose" href="javascript:;">Close this Advertisement</a></div> <div class="ad"> <script type="text/javascript" language="javascript"> //<![CDATA[ ord = window.ord || Math.floor(Math.random() * 100000000); document.write('<script type="text/javascript" src="https://web.archive.org/web/20130630035805/http://ad.doubleclick.net/N5978/adj/eof.fcw/;Topic=Cybersecurity;Topic=Oversight;Topic=Technology;item=6f525371_3b33_4c47_9dd2_27b48e5d6bf7;pos=S01;tile=1;sz=640x480;ord=' + ord + '?"><\/script>'); //]]> </script> <noscript> <a href="https://web.archive.org/web/20130630035805/http://ad.doubleclick.net/N5978/jump/eof.fcw/;Topic=Cybersecurity;Topic=Oversight;Topic=Technology;item=6f525371_3b33_4c47_9dd2_27b48e5d6bf7;pos=S01;tile=1;sz=640x480;ord=123456789" target="_blank"> <img src="https://web.archive.org/web/20130630035805im_/http://ad.doubleclick.net/N5978/ad/eof.fcw/;Topic=Cybersecurity;Topic=Oversight;Topic=Technology;item=6f525371_3b33_4c47_9dd2_27b48e5d6bf7;pos=S01;tile=1;sz=640x480;ord=123456789" border="0" alt=""/> </a> </noscript> </div> <script type="text/javascript" language="javascript">showIntersitial();</script> </div> <div class="ad"> <script type="text/javascript" language="javascript"> //<![CDATA[ ord = window.ord || Math.floor(Math.random() * 100000000); document.write('<script type="text/javascript" src="https://web.archive.org/web/20130630035805/http://ad.doubleclick.net/N5978/adj/eof.fcw/;Topic=Cybersecurity;Topic=Oversight;Topic=Technology;item=6f525371_3b33_4c47_9dd2_27b48e5d6bf7;pos=lead_t1;tile=2;sz=728x90,1x1;ord=' + ord + '?"><\/script>'); //]]> </script> <noscript> <a href="https://web.archive.org/web/20130630035805/http://ad.doubleclick.net/N5978/jump/eof.fcw/;Topic=Cybersecurity;Topic=Oversight;Topic=Technology;item=6f525371_3b33_4c47_9dd2_27b48e5d6bf7;pos=lead_t1;tile=2;sz=728x90,1x1;ord=123456789" target="_blank"> <img src="https://web.archive.org/web/20130630035805im_/http://ad.doubleclick.net/N5978/ad/eof.fcw/;Topic=Cybersecurity;Topic=Oversight;Topic=Technology;item=6f525371_3b33_4c47_9dd2_27b48e5d6bf7;pos=lead_t1;tile=2;sz=728x90,1x1;ord=123456789" border="0" alt=""/> </a> </noscript> </div> <div id="headerWrapper"> <div id="header"> <div id="ph_header1_0_divBlockBox" class="logo"> <div id="ph_header1_0_divBody" class="summary"> <a href="https://web.archive.org/web/20130630035805/http://fcw.com/home.aspx"><img title="FCW: The Business of Federal Technology" alt="FCW" src="/web/20130630035805im_/http://fcw.com/design/gig/fcw/2012/img/fcw-logo.png"></a></div> </div><div class="headerTools blockBox clearfix"> <noindex>  <div class="trending"> <ul class="topnavlist"><li class="navblock">Trending:</li><li class=""><a href="https://web.archive.org/web/20130630035805/http://fcw.com/pages/trending/va-it.aspx">VA IT</a></li><li class=""><a href="https://web.archive.org/web/20130630035805/http://fcw.com/pages/trending/nsa.aspx">NSA</a></li><li class=""><a href="https://web.archive.org/web/20130630035805/http://fcw.com/pages/trending/powerpuzzle.aspx">The Power Puzzle</a></li><li class=" last"><a href="https://web.archive.org/web/20130630035805/http://fcw.com/articles/2013/06/06/rising-star-nominations-open.aspx">Rising Star Nominations</a></li></ul> <br class="clear"/> </div>  </noindex> <noindex>  <div class="adminLinks"> <ul class="topnavlist"><li class=""><a href="https://web.archive.org/web/20130630035805/http://fcw.com/pages/about.aspx">About Us</a></li><li class=""><a href="https://web.archive.org/web/20130630035805/http://1105govinfo.com/pages/brands/fcw/overview.aspx">Advertise</a></li><li class=""><a href="https://web.archive.org/web/20130630035805/http://fcw.com/pages/contact.aspx">Contact Us</a></li><li class=" last"><a href="https://web.archive.org/web/20130630035805/http://1105-sub.halldata.com/FWnew&PK=FWEBTS">Subscribe</a></li></ul> <br class="clear"/> </div>  </noindex> <noindex>  <div class="socialLinks"> <ul class="topnavlist"><li class=" rss"><a href="https://web.archive.org/web/20130630035805/http://fcw.com/rss-feeds/all.aspx">RSS</a></li><li class=" lkn"><a href="https://web.archive.org/web/20130630035805/http://www.linkedin.com/company/fcw" target="_blank">LinkedIn</a></li><li class=" fb"><a href="https://web.archive.org/web/20130630035805/https://www.facebook.com/FCWnow" target="_blank">Facebook</a></li><li class=" gpls"><a href="https://web.archive.org/web/20130630035805/https://plus.google.com/b/106941915920971773318/106941915920971773318/posts" target="_blank">Google</a></li><li class=" last twt"><a href="https://web.archive.org/web/20130630035805/https://twitter.com/fcwnow" target="_blank">Twitter</a></li></ul> <br class="clear"/> </div>  </noindex> </div> <div id="nav"> <noindex>  <div class="topnav"> <ul class="topnavlist"><li class=""><a href="https://web.archive.org/web/20130630035805/http://fcw.com/portals/policy.aspx">Policy</a></li><li class=""><a href="https://web.archive.org/web/20130630035805/http://fcw.com/portals/management.aspx">Management</a></li><li class=""><a href="https://web.archive.org/web/20130630035805/http://fcw.com/portals/exec-tech.aspx">Exec Tech</a></li><li class=""><a href="https://web.archive.org/web/20130630035805/http://fcw.com/portals/people.aspx">Who & Where</a></li><li class=""><a href="https://web.archive.org/web/20130630035805/http://fcw.com/portals/the-hill.aspx">The Hill</a></li><li class=""><a href="https://web.archive.org/web/20130630035805/http://fcw.com/portals/agencies.aspx">Agencies</a></li><li class=""><a href="https://web.archive.org/web/20130630035805/http://fcw.com/portals/opinion.aspx">Opinion</a></li><li class=" last"><a href="https://web.archive.org/web/20130630035805/http://fcw.com/pages/resources.aspx">Resources</a></li></ul> <br class="clear"/> </div>  </noindex> <div class="ad"> <script type="text/javascript" language="javascript"> //<![CDATA[ ord = window.ord || Math.floor(Math.random() * 100000000); document.write('<script type="text/javascript" src="https://web.archive.org/web/20130630035805/http://ad.doubleclick.net/N5978/adj/eof.fcw/;Topic=Cybersecurity;Topic=Oversight;Topic=Technology;item=6f525371_3b33_4c47_9dd2_27b48e5d6bf7;pos=TS01;tile=3;sz=972x32,1x1;ord=' + ord + '?"><\/script>'); //]]> </script> <noscript> <a href="https://web.archive.org/web/20130630035805/http://ad.doubleclick.net/N5978/jump/eof.fcw/;Topic=Cybersecurity;Topic=Oversight;Topic=Technology;item=6f525371_3b33_4c47_9dd2_27b48e5d6bf7;pos=TS01;tile=3;sz=972x32,1x1;ord=123456789" target="_blank"> <img src="https://web.archive.org/web/20130630035805im_/http://ad.doubleclick.net/N5978/ad/eof.fcw/;Topic=Cybersecurity;Topic=Oversight;Topic=Technology;item=6f525371_3b33_4c47_9dd2_27b48e5d6bf7;pos=TS01;tile=3;sz=972x32,1x1;ord=123456789" border="0" alt=""/> </a> </noscript> </div> </div> </div> </div> <div id="contentTopWrapper"> <div id="contentTop"> <div class="ad"> <script type="text/javascript" language="javascript"> //<![CDATA[ ord = window.ord || Math.floor(Math.random() * 100000000); document.write('<script type="text/javascript" src="https://web.archive.org/web/20130630035805/http://ad.doubleclick.net/N5978/adj/eof.fcw/;Topic=Cybersecurity;Topic=Oversight;Topic=Technology;item=6f525371_3b33_4c47_9dd2_27b48e5d6bf7;pos=TS01;tile=4;sz=974x32,1x1;ord=' + ord + '?"><\/script>'); //]]> </script> <noscript> <a href="https://web.archive.org/web/20130630035805/http://ad.doubleclick.net/N5978/jump/eof.fcw/;Topic=Cybersecurity;Topic=Oversight;Topic=Technology;item=6f525371_3b33_4c47_9dd2_27b48e5d6bf7;pos=TS01;tile=4;sz=974x32,1x1;ord=123456789" target="_blank"> <img src="https://web.archive.org/web/20130630035805im_/http://ad.doubleclick.net/N5978/ad/eof.fcw/;Topic=Cybersecurity;Topic=Oversight;Topic=Technology;item=6f525371_3b33_4c47_9dd2_27b48e5d6bf7;pos=TS01;tile=4;sz=974x32,1x1;ord=123456789" border="0" alt=""/> </a> </noscript> </div> <div id="pContentTop"> </div> <div id="sContentTop"> </div> <div id="xContentTop"> </div> </div> </div> <div id="extraTopWrapper"> <div id="extraTopContent"> </div> </div> <div id="contentWrapper"> <div id="content"> <div id="pContent"> <style type="text/css"> .social_share #ss { float: left; margin-right: 18px; } </style> <div class="social_share"> <div id="ss"> <script src="//web.archive.org/web/20130630035805js_/http://platform.linkedin.com/in.js" type="text/javascript"></script> <script type="IN/Share"></script> </div> <div id="ss"> <div id="fb-root"></div> <script>(function(d, s, id) { var js, fjs = d.getElementsByTagName(s)[0]; if (d.getElementById(id)) return; js = d.createElement(s); js.id = id; js.src = "//web.archive.org/web/20130630035805/http://connect.facebook.net/en_US/all.js#xfbml=1&appId=213804045416377"; fjs.parentNode.insertBefore(js, fjs); }(document, 'script', 'facebook-jssdk'));</script> <div class="fb-like" data-send="false" data-layout="button_count" data-width="450" data-show-faces="true"></div></div> <div id="ss"><a href="https://web.archive.org/web/20130630035805/https://twitter.com/share" class="twitter-share-button" data-lang="en" data-count="none" data-via="FCWnow">Tweet</a> <script>!function(d,s,id){var js,fjs=d.getElementsByTagName(s)[0];if(!d.getElementById(id)){js=d.createElement(s);js.id=id;js.src="https://web.archive.org/web/20130630035805/https://platform.twitter.com/widgets.js";fjs.parentNode.insertBefore(js,fjs);}}(document,"script","twitter-wjs");</script> </div> <div id="ss">  <div class="g-plusone" data-size="tall" data-annotation="none"></div> </div>  <script type="text/javascript"> (function() { var po = document.createElement('script'); po.type = 'text/javascript'; po.async = true; po.src = 'https://web.archive.org/web/20130630035805/https://apis.google.com/js/plusone.js'; var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(po, s); })(); </script> </div> <div id="level0"> <div id="article"> <p id="ph_pcontent2_0_KickerText" class="kicker">Comment: Oversight</p> <h3 id="ph_pcontent2_0_MainHeading" class="title">Is an emphasis on compliance hampering IT security?</h3> <ul id="ph_pcontent2_0_ByAuthor" class="byline"> <li class="author">By <a href="https://web.archive.org/web/20130630035805/http://fcw.com/forms/emailtoauthor.aspx?AuthorItem={C4126F0C-6B16-4232-985C-93F86A33A188}&ArticleItem={6F525371-3B33-4C47-9DD2-27B48E5D6BF7}">William Jackson</a></li><li class="date">May 10, 2013</li> </ul> <div class="remove imageCap"><img class="remove" alt="audit paperwork" src="/web/20130630035805im_/http://fcw.com/articles/2013/05/10/~/media/GIG/FCWNow/Topics/Oversight/audit.ashx" title="Is 'fear the auditor' holding back real IT security?"> </div> <p>Leo Scanlon, chief information security officer of the National Archives and Records Administration, has an information security question for federal CIOs: "Are you satisfied that where you are is good enough? Do you understand the risk?"</p><p>Too often, he says, federal C-level officials do not know if their security is adequate because they do not understand the risks they face and what the risk tolerance of their agencies should be. And too often, they are content to remain that way.</p><p>The issue of understanding and managing IT risk takes on greater significance with the growing emphasis on automating security. Security professionals, system administrators and agency executives have been fighting a battle over IT security vs. regulatory compliance since the passage of the Federal Information Security Management Act of 2002. Critics of the act — or at least of how it has been implemented — say that an emphasis on grading agency performance based on compliance scores has undermined efforts to improve security. With the introduction of tools to monitor systems, respond to incidents and report on status, there is a chance to finally settle the battle in favor of security.</p> <div class="sidebarA" type="SideBarContent"> <a href="https://web.archive.org/web/20130630035805/http://gcn.com/Blogs/CyberEye/List/Blog-List.aspx"><img src="https://web.archive.org/web/20130630035805im_/http://1105govinfo.com/design/gig/1105govinfo/2012/img/1105GIG-logo-gcn.png" width="172" height="111" alt="GCN Logo" border="0"></a> <p>William Jackson covers cybersecurity for FCW's sister publication, GCN, where this piece first appeared. For more, see Jackson's <strong><a href="https://web.archive.org/web/20130630035805/http://gcn.com/Blogs/CyberEye/List/Blog-List.aspx">CyberEye blog on GCN.com</a></strong>.</p></div> <p>The question, said Scanlon, is "are we going to automate compliance or automate risk management?"</p><p>Speaking at cybersecurity conference hosted by (ISC)2, Scanlon said that FISMA was never intended to be about compliance. The opening paragraphs of <a href="https://web.archive.org/web/20130630035805/http://www.gpo.gov/fdsys/pkg/PLAW-107publ347/pdf/PLAW-107publ347.pdf" target="_blank">the act </a>spell out that its intent is to "provide a comprehensive framework for ensuring the effectiveness of information security controls," and ". . . provide effective governmentwide management and oversight of the related information security risks . . . ."</p><p>So why the emphasis on paperwork and reporting rather than managing risk over the last 11 years? Compliance is easier to measure. Reports from auditors and inspectors general have given congressional overseers an easy way to grade agencies, either with an A, B . . . F report card or a green-yellow-red dashboard.</p><p>The C-level executives who must report to Congress have embraced this. Their approach to IT security, Scanlon said, is, "get the IG off my back."</p><p>Al Seifert, CEO of MSB Cybersecurity and formerly security officer for the Defense Department's Global Command and Control System, called FISMA a "noble endeavor" that has not fulfilled its promise.</p><p>"We are not collecting the metrics we need to ensure that our security is working," he said. "Everybody fears the auditor."</p><p>Security automation still is rudimentary and focused on compliance reporting, Seifert said. But the technology exists to do better. The Homeland Security Department's Cyberscope reporting system and the growing list of commercial tools that support the <a href="https://web.archive.org/web/20130630035805/http://nvd.nist.gov/scapproducts.cfm" target="_blank">Security Content Automation Protocol</a> make it possible to focus on real risk rather than merely playing the compliance game.</p><p>Risk management ultimately is a business decision that must be made at the CIO or CEO level of an agency, not by the IT people in the security shop, Scanlon said. Because security is not perfect, the level of acceptable risk must be determined based on an agency's business and mission needs. Then it is up to the security people to manage that risk.</p>   </div> </div> <noindex> <div id="ph_pcontent3_0_EmailThis" class="email"> <p><a id="ph_pcontent3_0_Email" href="/web/20130630035805/http://fcw.com/Forms/EmailItem.aspx?EmailItem={6F525371-3B33-4C47-9DD2-27B48E5D6BF7}">E-Mail this page</a></p> </div> </noindex> <noindex> <div id="ph_pcontent3_1_PrintFormat" class="print"> <p><a id="ph_pcontent3_1_Print" href="https://web.archive.org/web/20130630035805/http://fcw.com/Articles/2013/05/10/cybereye-auditor-security.aspx?p=1" target="_blank">Printable Format</a></p> </div> </noindex> </div> <div id="sContent"> <noindex> <div id="ph_scontent2_0_pnlSearch" class="search"> <fieldset> <input name="ph_scontent2_0$txtSearch" type="text" id="ph_scontent2_0_txtSearch" onfocus="FocusSearchBox('ph_scontent2_0_txtSearch')" onblur="BlurSearchBox()"/> <select name="ph_scontent2_0$ddlCollections" id="ph_scontent2_0_ddlCollections"> <option selected="selected" value="FCW_Web">FCW</option> </select> <input type="submit" name="ph_scontent2_0$btnSearch" value="Search" id="ph_scontent2_0_btnSearch" class="submit"/> <p id="ph_scontent2_0_AdvancedFormLink" class="advanced"><a href="https://web.archive.org/web/20130630035805/http://fcw.com/Forms/Advanced-Search.aspx">Advanced Search</a></p> <input type="hidden" id="hdnSearch" name="hdnSearch" visible="false"/> </fieldset> </div> </noindex> <noindex>  <div id="popular"> <div class="tabbedFields"> <ul class="tabMenu"> <li><a href="javascript:;">Most Popular Articles</a></li> <li><a href="javascript:;">Most Emailed Articles</a></li> </ul>  <div class="tabContent"> <h3><a id="ph_scontent2_1_PopularItemsRepeater_ctl00_StoryHeadlineHyperLink" href="https://web.archive.org/web/20130630035805/http://fcw.com/articles/2013/06/27/ngen-announced.aspx">DOD announces long-awaited NGEN contract</a></h3> <h3><a id="ph_scontent2_1_PopularItemsRepeater_ctl01_StoryHeadlineHyperLink" href="https://web.archive.org/web/20130630035805/http://fcw.com/articles/2013/06/26/cybersecurity-training.aspx">What's wrong with cybersecurity training? </a></h3> <h3><a id="ph_scontent2_1_PopularItemsRepeater_ctl02_StoryHeadlineHyperLink" href="https://web.archive.org/web/20130630035805/http://fcw.com/articles/2013/06/28/security-privacy-speed-of-government.aspx">How to address the risks of 24/7 government </a></h3> </div>  <div class="tabContent"> <h3><a id="ph_scontent2_1_PopulareEmailRepeater_ctl00_StoryHeadlineHyperLink" href="https://web.archive.org/web/20130630035805/http://fcw.com/articles/2013/06/27/bpa-small-business.aspx">Purchase agreements to profit small biz</a></h3> <h3><a id="ph_scontent2_1_PopulareEmailRepeater_ctl01_StoryHeadlineHyperLink" href="https://web.archive.org/web/20130630035805/http://fcw.com/articles/2013/06/27/ngen-announced.aspx">DOD announces long-awaited NGEN contract</a></h3> <h3><a id="ph_scontent2_1_PopulareEmailRepeater_ctl02_StoryHeadlineHyperLink" href="https://web.archive.org/web/20130630035805/http://fcw.com/articles/2013/06/26/irs-contractor-hearing.aspx">House panel probes 'cozy relationship' between IRS official, contractor</a></h3> </div> </div> </div>  </noindex><div class="ad"> <script type="text/javascript" language="javascript"> //<![CDATA[ ord = window.ord || Math.floor(Math.random() * 100000000); document.write('<script type="text/javascript" src="https://web.archive.org/web/20130630035805/http://ad.doubleclick.net/N5978/adj/eof.fcw/;Topic=Cybersecurity;Topic=Oversight;Topic=Technology;item=6f525371_3b33_4c47_9dd2_27b48e5d6bf7;pos=Box_R1;tile=5;sz=300x250,300x600,300x480,300x850,1x1;ord=' + ord + '?"><\/script>'); //]]> </script> <noscript> <a href="https://web.archive.org/web/20130630035805/http://ad.doubleclick.net/N5978/jump/eof.fcw/;Topic=Cybersecurity;Topic=Oversight;Topic=Technology;item=6f525371_3b33_4c47_9dd2_27b48e5d6bf7;pos=Box_R1;tile=5;sz=300x250,300x600,300x480,300x850,1x1;ord=123456789" target="_blank"> <img src="https://web.archive.org/web/20130630035805im_/http://ad.doubleclick.net/N5978/ad/eof.fcw/;Topic=Cybersecurity;Topic=Oversight;Topic=Technology;item=6f525371_3b33_4c47_9dd2_27b48e5d6bf7;pos=Box_R1;tile=5;sz=300x250,300x600,300x480,300x850,1x1;ord=123456789" border="0" alt=""/> </a> </noscript> </div> <div class="ad"> <script type="text/javascript" language="javascript"> //<![CDATA[ ord = window.ord || Math.floor(Math.random() * 100000000); document.write('<script type="text/javascript" src="https://web.archive.org/web/20130630035805/http://ad.doubleclick.net/N5978/adj/eof.fcw/;Topic=Cybersecurity;Topic=Oversight;Topic=Technology;item=6f525371_3b33_4c47_9dd2_27b48e5d6bf7;pos=Promo_S1;tile=6;sz=300x90,1x1;ord=' + ord + '?"><\/script>'); //]]> </script> <noscript> <a href="https://web.archive.org/web/20130630035805/http://ad.doubleclick.net/N5978/jump/eof.fcw/;Topic=Cybersecurity;Topic=Oversight;Topic=Technology;item=6f525371_3b33_4c47_9dd2_27b48e5d6bf7;pos=Promo_S1;tile=6;sz=300x90,1x1;ord=123456789" target="_blank"> <img src="https://web.archive.org/web/20130630035805im_/http://ad.doubleclick.net/N5978/ad/eof.fcw/;Topic=Cybersecurity;Topic=Oversight;Topic=Technology;item=6f525371_3b33_4c47_9dd2_27b48e5d6bf7;pos=Promo_S1;tile=6;sz=300x90,1x1;ord=123456789" border="0" alt=""/> </a> </noscript> </div> <div id="sponsorTextLink" class="ad sztextlink"> <h2>More Resources</h2><ul><li><div class="ad"> <script type="text/javascript" language="javascript"> //<![CDATA[ ord2 = window.ord2 || Math.floor(Math.random() * 100000000); document.write('<script type="text/javascript" src="https://web.archive.org/web/20130630035805/http://ad.doubleclick.net/N5978/adj/eof.fcw/;Topic=Cybersecurity;Topic=Oversight;Topic=Technology;item=6f525371_3b33_4c47_9dd2_27b48e5d6bf7;pos=tx01;tile=1;sz=620x28;ord=' + ord2 + '?"><\/script>'); //]]> </script> <noscript> <a href="https://web.archive.org/web/20130630035805/http://ad.doubleclick.net/N5978/jump/eof.fcw/;Topic=Cybersecurity;Topic=Oversight;Topic=Technology;item=6f525371_3b33_4c47_9dd2_27b48e5d6bf7;pos=tx01;tile=1;sz=620x28;ord=123456789" target="_blank"> <img src="https://web.archive.org/web/20130630035805im_/http://ad.doubleclick.net/N5978/ad/eof.fcw/;Topic=Cybersecurity;Topic=Oversight;Topic=Technology;item=6f525371_3b33_4c47_9dd2_27b48e5d6bf7;pos=tx01;tile=1;sz=620x28;ord=123456789" border="0" alt=""/> </a> </noscript> </div> </li><li><div class="ad"> <script type="text/javascript" language="javascript"> //<![CDATA[ ord2 = window.ord2 || Math.floor(Math.random() * 100000000); document.write('<script type="text/javascript" src="https://web.archive.org/web/20130630035805/http://ad.doubleclick.net/N5978/adj/eof.fcw/;Topic=Cybersecurity;Topic=Oversight;Topic=Technology;item=6f525371_3b33_4c47_9dd2_27b48e5d6bf7;pos=tx02;tile=2;sz=620x28;ord=' + ord2 + '?"><\/script>'); //]]> </script> <noscript> <a href="https://web.archive.org/web/20130630035805/http://ad.doubleclick.net/N5978/jump/eof.fcw/;Topic=Cybersecurity;Topic=Oversight;Topic=Technology;item=6f525371_3b33_4c47_9dd2_27b48e5d6bf7;pos=tx02;tile=2;sz=620x28;ord=123456789" target="_blank"> <img src="https://web.archive.org/web/20130630035805im_/http://ad.doubleclick.net/N5978/ad/eof.fcw/;Topic=Cybersecurity;Topic=Oversight;Topic=Technology;item=6f525371_3b33_4c47_9dd2_27b48e5d6bf7;pos=tx02;tile=2;sz=620x28;ord=123456789" border="0" alt=""/> </a> </noscript> </div> </li><li><div class="ad"> <script type="text/javascript" language="javascript"> //<![CDATA[ ord2 = window.ord2 || Math.floor(Math.random() * 100000000); document.write('<script type="text/javascript" src="https://web.archive.org/web/20130630035805/http://ad.doubleclick.net/N5978/adj/eof.fcw/;Topic=Cybersecurity;Topic=Oversight;Topic=Technology;item=6f525371_3b33_4c47_9dd2_27b48e5d6bf7;pos=tx03;tile=3;sz=620x28;ord=' + ord2 + '?"><\/script>'); //]]> </script> <noscript> <a href="https://web.archive.org/web/20130630035805/http://ad.doubleclick.net/N5978/jump/eof.fcw/;Topic=Cybersecurity;Topic=Oversight;Topic=Technology;item=6f525371_3b33_4c47_9dd2_27b48e5d6bf7;pos=tx03;tile=3;sz=620x28;ord=123456789" target="_blank"> <img src="https://web.archive.org/web/20130630035805im_/http://ad.doubleclick.net/N5978/ad/eof.fcw/;Topic=Cybersecurity;Topic=Oversight;Topic=Technology;item=6f525371_3b33_4c47_9dd2_27b48e5d6bf7;pos=tx03;tile=3;sz=620x28;ord=123456789" border="0" alt=""/> </a> </noscript> </div> </li></ul> </div><div class="ad"> <script type="text/javascript" language="javascript"> //<![CDATA[ ord = window.ord || Math.floor(Math.random() * 100000000); document.write('<script type="text/javascript" src="https://web.archive.org/web/20130630035805/http://ad.doubleclick.net/N5978/adj/eof.fcw/;Topic=Cybersecurity;Topic=Oversight;Topic=Technology;item=6f525371_3b33_4c47_9dd2_27b48e5d6bf7;pos=Box_R2;tile=7;sz=300x250,300x600,300x480,300x850,1x1;ord=' + ord + '?"><\/script>'); //]]> </script> <noscript> <a href="https://web.archive.org/web/20130630035805/http://ad.doubleclick.net/N5978/jump/eof.fcw/;Topic=Cybersecurity;Topic=Oversight;Topic=Technology;item=6f525371_3b33_4c47_9dd2_27b48e5d6bf7;pos=Box_R2;tile=7;sz=300x250,300x600,300x480,300x850,1x1;ord=123456789" target="_blank"> <img src="https://web.archive.org/web/20130630035805im_/http://ad.doubleclick.net/N5978/ad/eof.fcw/;Topic=Cybersecurity;Topic=Oversight;Topic=Technology;item=6f525371_3b33_4c47_9dd2_27b48e5d6bf7;pos=Box_R2;tile=7;sz=300x250,300x600,300x480,300x850,1x1;ord=123456789" border="0" alt=""/> </a> </noscript> </div> <div class="ad"> <script type="text/javascript" language="javascript"> //<![CDATA[ ord = window.ord || Math.floor(Math.random() * 100000000); document.write('<script type="text/javascript" src="https://web.archive.org/web/20130630035805/http://ad.doubleclick.net/N5978/adj/eof.fcw/;Topic=Cybersecurity;Topic=Oversight;Topic=Technology;item=6f525371_3b33_4c47_9dd2_27b48e5d6bf7;pos=Box_R3;tile=8;sz=300x250,1x1;ord=' + ord + '?"><\/script>'); //]]> </script> <noscript> <a href="https://web.archive.org/web/20130630035805/http://ad.doubleclick.net/N5978/jump/eof.fcw/;Topic=Cybersecurity;Topic=Oversight;Topic=Technology;item=6f525371_3b33_4c47_9dd2_27b48e5d6bf7;pos=Box_R3;tile=8;sz=300x250,1x1;ord=123456789" target="_blank"> <img src="https://web.archive.org/web/20130630035805im_/http://ad.doubleclick.net/N5978/ad/eof.fcw/;Topic=Cybersecurity;Topic=Oversight;Topic=Technology;item=6f525371_3b33_4c47_9dd2_27b48e5d6bf7;pos=Box_R3;tile=8;sz=300x250,1x1;ord=123456789" border="0" alt=""/> </a> </noscript> </div> </div> <div id="xContent"> <div id="ph_xcontent2_0_divListBox" class="featuredBox"> <h4 id="ph_xcontent2_0_h4Header" class="L1CommonDLBheader">Featured</h4> <ul> <li id="ph_xcontent2_0_lvItemList_ctrl0_liListItem"> <a href="https://web.archive.org/web/20130630035805/http://fcw.com/articles/2013/06/28/tangherlini-confirmed.aspx"><img src="https://web.archive.org/web/20130630035805im_/http://fcw.com/~/media/GIG/FCWNow/People/T/Tangherlini_Dan_370.png" alt="Dan Tangherlini GSA image"/></a> <h3 id="ph_xcontent2_0_lvItemList_ctrl0_h3Title"><a href="https://web.archive.org/web/20130630035805/http://fcw.com/articles/2013/06/28/tangherlini-confirmed.aspx">Tangherlini confirmed to lead GSA</a></h3> <div id="ph_xcontent2_0_lvItemList_ctrl0_dvComments" class="dlb_comments"></div> </li> <li id="ph_xcontent2_0_lvItemList_ctrl1_liListItem"> <a href="https://web.archive.org/web/20130630035805/http://fcw.com/articles/2013/06/28/security-privacy-speed-of-government.aspx"><img src="https://web.archive.org/web/20130630035805im_/http://fcw.com/~/media/GIG/FCWNow/2013/June/Fast Government_cover.png" alt="report cover Fast Government"/></a> <h3 id="ph_xcontent2_0_lvItemList_ctrl1_h3Title"><a href="https://web.archive.org/web/20130630035805/http://fcw.com/articles/2013/06/28/security-privacy-speed-of-government.aspx">How to address the risks of 24/7 government </a></h3> <div id="ph_xcontent2_0_lvItemList_ctrl1_dvComments" class="dlb_comments"></div> </li> <li id="ph_xcontent2_0_lvItemList_ctrl2_liListItem"> <a href="https://web.archive.org/web/20130630035805/http://fcw.com/articles/2013/06/26/irs-contractor-hearing.aspx"><img src="https://web.archive.org/web/20130630035805im_/http://fcw.com/~/media/GIG/FCWNow/People/R/Roseman_Gregory.png" alt="Gregory Roseman"/></a> <h3 id="ph_xcontent2_0_lvItemList_ctrl2_h3Title"><a href="https://web.archive.org/web/20130630035805/http://fcw.com/articles/2013/06/26/irs-contractor-hearing.aspx">House panel probes 'cozy relationship' between IRS official, contractor</a></h3> <div id="ph_xcontent2_0_lvItemList_ctrl2_dvComments" class="dlb_comments"></div> </li> </ul> <div id="ph_xcontent2_0_dvPagination" class="pagination"> <ul> </ul> </div> </div> <noindex>  <div id="ph_xcontent3_0_relatedSpecific" class="relatedSpecific"> <div class="items"> <h3 id="ph_xcontent3_0_RelatedTitle">Related Articles</h3> <ul> <li><a id="ph_xcontent3_0_RelatedItemRepeater_ctl00_ItemHyperLink" href="https://web.archive.org/web/20130630035805/http://fcw.com/Articles/2013/06/18/cyber-authorities-debate.aspx">How far is too far in cyber defense? </a><span></span></li> <li><a id="ph_xcontent3_0_RelatedItemRepeater_ctl01_ItemHyperLink" href="https://web.archive.org/web/20130630035805/http://fcw.com/Articles/2013/05/16/cybersecurity-roi.aspx">Measuring what never happened</a><span></span></li> <li><a id="ph_xcontent3_0_RelatedItemRepeater_ctl02_ItemHyperLink" href="https://web.archive.org/web/20130630035805/http://fcw.com/Articles/2013/02/22/critical-read-cyber-defense.aspx">A case for active cyber defense</a><span></span></li> </ul> </div> </div>  </noindex> </div> </div> </div> <div id="extraWrapper"> <div id="extraContent"> <div id="ph_extracontent2_0_CommentsList"> <a name="Comments"></a> <div id="comments"> <h3 id="ph_extracontent2_0_h3ShowComments">Reader comments</h3> <div class="standard"> <h2> Thu, May 30, 2013 <span class="name"> </span> <span class="location"> </span> </h2> <p> There's no consequences for most CIOs and agency chiefs who do not follow the security recommendations of their own agencies. Scanlon knows this. His reports have shown the same shortcomings at NARA year after year, yet nothing gets done. </p> </div> <div class="standard"> <h2> Tue, May 14, 2013 <span class="name"> Anon</span> <span class="location"> </span> </h2> <p> "Risk management ultimately is a business decision that must be made at the CIO or CEO level of an agency, not by the IT people in the security shop" And who provides the presentations to educate the barely technically literate CIO and or CEO? Yep, the IT and security people with the agendas. Silly CIO, tricks are for kids...</p> </div> <div class="standard"> <h2> Tue, May 14, 2013 <span class="name"> </span> <span class="location"> </span> </h2> <p> Security people tend to know the least about technology and operate in fear. They believe mitigation means elimination of risk, a fool's errand. Worse, they push their agenda in the name of "security" by dropping the "security card" when a business need is either unmet or requires something functionally different than what security wants. </p> </div> <div class="standard"> <h2> Mon, May 13, 2013 <span class="name"> John g</span> <span class="location"> </span> </h2> <p> "C-level officials do not know if their security is adequate because they do not understand" - thats the story most C'level folks haven't a clue about software, much less current software and how to keep it secure </p> </div> <div class="standard"> <h2> Sun, May 12, 2013 <span class="name"> </span> <span class="location"> </span> </h2> <p> Ask the VA how giving two cares about security has turned out for IT. Yeah, somebody is happy, but it never makes the people in the business who are there to do a job (other than security brownie points for congress) get their job done. So until congress and the Predident say that security is more important than the fundimental job the agency is there to do, this is all bunk. And when Congress and the President say that security is important, they should say what they're willing to pay to meet it. Let productivity in the root areas of the business, added people, added costs. It's simple, security is popular, that's about it. Other than tons of wasted dollars to pay for usless programs and people to report all the things folks aren't doing, it's junk. We need to quit pretending to want security like the CIA and NSA have and not be willing to lock-down the agency and the data they way they have.</p> </div> <p> </p> </div> <div class="commentform"> <h3> Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.</h3> <fieldset id="user-details"> <label for="CommenterName"> Name: (Optional)</label><input name="ph_extracontent2_0$CommenterName" type="text" id="ph_extracontent2_0_CommenterName"/> <label for="CommenterEmail"> Email: (Optional)</label> <input name="ph_extracontent2_0$CommenterEmail" type="text" id="ph_extracontent2_0_CommenterEmail"/> <label for="CommenterLocation"> Location: (Optional)</label> <input name="ph_extracontent2_0$CommenterLocation" type="text" id="ph_extracontent2_0_CommenterLocation"/> </fieldset>  <fieldset id="user-message"> <label for="CommentText"> Your Comment:</label> <textarea name="ph_extracontent2_0$CommentText" rows="6" cols="50" id="ph_extracontent2_0_CommentText"></textarea><img id="ph_extracontent2_0_CaptchaBox1_CaptchaImagea5bd" src="/web/20130630035805im_/http://fcw.com/Captcha.ashx?id=9f8e" border="0"/> <span style="display:block;">Please type the letters/numbers you see above</span> <input name="ph_extracontent2_0$CaptchaBox1$CaptchaGuess" type="text" id="ph_extracontent2_0_CaptchaBox1_CaptchaGuess"/><input type="submit" name="ph_extracontent2_0$SubmitBtn" value="SUBMIT MESSAGE" id="ph_extracontent2_0_SubmitBtn" class="submit"/> </fieldset>  </div> </div> <script type="text/javascript" src="https://web.archive.org/web/20130630035805js_/http://jlinks.industrybrains.com/jsct?sid=967&ct=GCN_RUN_OF_SITE&tr=FCW_SITE&num=3&layt=960x180&fmt=simp"></script> <div class="ad"> <script type="text/javascript" language="javascript"> //<![CDATA[ ord = window.ord || Math.floor(Math.random() * 100000000); document.write('<script type="text/javascript" src="https://web.archive.org/web/20130630035805/http://ad.doubleclick.net/N5978/adj/eof.fcw/;Topic=Cybersecurity;Topic=Oversight;Topic=Technology;item=6f525371_3b33_4c47_9dd2_27b48e5d6bf7;pos=lead_t2;tile=9;sz=728x90,1x1;ord=' + ord + '?"><\/script>'); //]]> </script> <noscript> <a href="https://web.archive.org/web/20130630035805/http://ad.doubleclick.net/N5978/jump/eof.fcw/;Topic=Cybersecurity;Topic=Oversight;Topic=Technology;item=6f525371_3b33_4c47_9dd2_27b48e5d6bf7;pos=lead_t2;tile=9;sz=728x90,1x1;ord=123456789" target="_blank"> <img src="https://web.archive.org/web/20130630035805im_/http://ad.doubleclick.net/N5978/ad/eof.fcw/;Topic=Cybersecurity;Topic=Oversight;Topic=Technology;item=6f525371_3b33_4c47_9dd2_27b48e5d6bf7;pos=lead_t2;tile=9;sz=728x90,1x1;ord=123456789" border="0" alt=""/> </a> </noscript> </div> </div> </div> <div id="footerWrapper"> <div id="footer"> <div id="ph_footer2_0_divBlockBox" class="blockBox footerLinks"> <div id="ph_footer2_0_divBody" class="summary"> <ul class="copyrightNew"> <li>©2013 1105 Media, Inc.</li></ul> <ul class="siteMapLinks"> <li><a href="https://web.archive.org/web/20130630035805/http://fcw.com/articles/list/policy.aspx">Policy</a></li> <li><a href="https://web.archive.org/web/20130630035805/http://fcw.com/articles/list/management.aspx">Management</a></li> <li><a href="https://web.archive.org/web/20130630035805/http://fcw.com/articles/list/people.aspx">Who & Where</a></li> <li><a href="https://web.archive.org/web/20130630035805/http://fcw.com/articles/list/the-hill.aspx">The Hill</a></li> <li><a href="https://web.archive.org/web/20130630035805/http://fcw.com/articles/list/agencies.aspx">Agencies</a></li> <li><a href="https://web.archive.org/web/20130630035805/http://fcw.com/articles/list/opinion.aspx">Opinion</a></li> <li><a href="https://web.archive.org/web/20130630035805/http://fcw.com/pages/resources.aspx">Resources</a></li></ul> <ul class="companyLinks"> <li><a href="https://web.archive.org/web/20130630035805/http://fcw.com/home.aspx?m=1" target="_blank">Mobile site</a></li> <li><a href="https://web.archive.org/web/20130630035805/https://itunes.apple.com/us/app/fcw-magazine/id579012642">FCW App</a></li> <li><a href="https://web.archive.org/web/20130630035805/http://digital.fcw.com/" target="_blank">Digital Edition</a></li></ul> <ul class="companyLinks"> <li><a href="https://web.archive.org/web/20130630035805/http://fcw.com/pages/about.aspx">About Us</a></li> <li><a href="https://web.archive.org/web/20130630035805/http://fcw.com/pages/contact.aspx">Contact Us</a></li> <li><a href="https://web.archive.org/web/20130630035805/http://1105govinfo.com/pages/brands/fcw/overview.aspx" target="_blank">Advertise</a></li> <li><a href="https://web.archive.org/web/20130630035805/http://www.1105reprints.com/" target="_blank">Reprints</a></li> <li><a href="https://web.archive.org/web/20130630035805/http://1105-sub.halldata.com/FWnew&PK=FWEBTS" target="_blank">Subscribe</a></li> <li><a href="https://web.archive.org/web/20130630035805/http://1105media.com/terms.html" target="_blank">Terms of Use</a></li> <li><a href="https://web.archive.org/web/20130630035805/http://www.1105media.com/privacy.aspx" target="_blank">Privacy Policy</a></li></ul></div> </div><div id="ph_footer2_1_divBlockBox" class="blockBox footerLegal"> <div id="ph_footer2_1_divBody" class="summary"> <img src="/web/20130630035805im_/http://fcw.com/design/gig/fcw/2012/img/1105-logo.png" alt="1105 Government Information Group"> <br> 8609 Westwood Center Drive, Suite 500<br> Vienna, VA 22182-2215<br> 703-876-5100</div> </div> <div id="Copyright_copyright" class="copyright"> <p><a href="https://web.archive.org/web/20130630035805/http://www.1105govinfo.com/" target="_blank"><img border="0" alt="1105 Government Information Group Logo" src="/web/20130630035805im_/http://fcw.com/articles/2013/05/10/~/media/GIG/GIG%20Logos/1105logo_website.ashx" width="136" height="26"> </a><br><br>8609 Westwood Center Drive, Suite 500<br>Vienna, VA 22182-2215 <br>703-876-5100<br> <p>© 1996-2013 1105 Media, Inc. All Rights Reserved. This copy is for your personal, non-commercial use only.<br>To order presentation-ready copies for distribution to colleagues, clients or customers, visit: <a href="https://web.archive.org/web/20130630035805/http://www.1105reprints.com/">www.1105Reprints.com<p></a></p></p> </div> </div> </div> </div> <script type="text/javascript"> //<![CDATA[ Sys.Application.initialize(); //]]> </script> </form> </body> </html>

CINXE.COM

Is an emphasis on compliance hampering IT security? -- FCW