Study: Patch management is top concern of CISOs

Patch management is the No. 1 security concern of federal chief information security officers, according to study commissioned systems integrator Intelligent Decisions Inc.

"As an integrator, we need to pay attention to patch management solutions," said Gene Antonelli, Intelligent Decisions' vice president of sales and marketing. "These CISOs have the technical expertise, but clearly they could use additional support from the private sector on this."

The study also found that CISOs are concerned about software quality, a concern that is likely related to patch management, said Ted Ritter, director of cybersecurity at Chantilly, Va.-based Intelligent Decisions.

"If the software was higher quality, they wouldn't have to patch as much," Ritter said.

The study found cyberattack preparedness, Federal Information Security Management Act (FISMA) compliance and network compromise among the CISOs concerns.

The study was based on telephone interviews with 25 of the 117 federal agency CISOs. The issues facing CISOs who control budgets of less than $500,000 and those who control budgets of more than $10 million are significantly different, the study found.

The smaller-budget CISOs said they spend 45 percent of their time to FISMA compliance.

"When they spend 45 percent of their time with compliance reporting, we wonder if that is the best use of their time," Ritter said. "Is it becoming an administrative nightmare, particularly for these people with small budgets?"

The higher-budget CISOs spend 27 percent of their time on FISMA compliance reporting, the study found.