GovInfoSecurity wonders what role the Federal Information Security Management Act – aka FISMA – played in the massive OPM breach:

FISMA has also created a “cyber-industrial complex” that feeds at the trough of federal cybersecurity spending and has become so entrenched and powerful that it rules federal cybersecurity with a profitability rather than a best-practice metric. Compounding this problem are agencies that have failed to adapt archaic acquisition strategies and contracting practices to deal with the dynamic realities of cybersecurity trends and developments.

Many agencies are using “lowest price, technically acceptable” contractors to protect some of our nation’s most important and sensitive data. For these agencies, disaster either has occurred or is imminent.

The stark reality is that no agency in the executive branch prioritizes cybersecurity as a core business enabler. Federal agencies treat cybersecurity as an IT annoyance, buried as it is under their CIO. Federal agencies practice crisis-to-crisis cybersecurity management, and not proactive infrastructure resilience. Congress abets this approach by enacting authorization language that instructs each agency to deliver specific entitlements or services to the taxpayer, and appropriation language that funds the associated authorization, neither of which elevates cybersecurity to anything near an agency priority.

The government sees cyber security as a nuisance and generally places so little emphasis on it that necessary projects are rarely properly funded. Adequately explaining security concerns in a context C-level executives can understand is where the process often fails. If cyber security issues are articulated as business enablement then rest assured it will be understood.

What we need is more people capable of discussing cyber security in a business context rather than a technical one. This is why it is important to have a CISO reporting directly to the CEO rather than the CIO. The CIO rarely understands the nuances of cyber security, and like the rest of the C-level executives, often times ignores what security professionals see as an obvious threat.