CISO Exchange falters over high industry fees

Three days after forming an advisory board with congratulations all around, the newly created Chief Information Security Officers Exchange took a stumble when its co-chairman, Rep. Tom Davis (R-Va.), said he was having second thoughts. A week later, as other participants also reconsidered, its leaders were scrambling to breathe new life into the group.What caused the public-private partnership for federal chief information security officers to begin teetering almost immediately were concerns raised by Davis and others about the $75,000 fees being charged to its six industry board members. The CISO exchange was formed to bring government and industry security specialists together to share insights and best practices. But some officials worried that the fees create the appearance of selling access to the eight high-level government officials on the board. "We were not aware of fees being charged," said David Marin, deputy staff director for the House Government Reform Committee, which Davis chairs.At press time, CISO Exchange proponents were avidly seeking new backers and a fresh organizational structure to allay the concerns. One solution being considered would move it under the auspices of the Industry Advisory Council, a non-profit group promoting communication between industry and government IT leaders. Davis said he still supports the partnership's goals. "We stand behind it and we think it's going to be a successful program," he said.Meanwhile, members continued to distance themselves from the CISO Exchange.Vance Hitch, chief information officer for the Justice Department, was listed in several news releases as co-chair of the exchange, representing the Federal CIO Council. Hitch now calls those announcements premature."I'm not officially co-chairman yet, because [the CISO Exchange] doesn't exist yet," Hitch said. "We've had no meetings. It does not exist. It's a paper proposal." The CIO Council supports the intent of the exchange and is looking for a way to carry out the concept, but with a "non-controversial model," he said. "What needs to be done is to have an open forum for best practices that is open and accessible to all," said Bill Mosely, a spokesman for the CIO council. Mosely and Hitch declined to say what specific fees or structure might be acceptable.On April 11, a corporate advisory board member dropped out. Austin Yerks, president of business development of the federal sector for Computer Sciences Corp. cut his ties with the CISO Exchange, saying he had never officially signed up."There was some preliminary discussion, but we never officially joined," said Chuck Taylor, a spokesman for Yerks. "We share the chairman's [Davis'] concerns."Empowering officersThe exchange was founded in February at the same time the House Government Reform Committee released its annual report card on federal information security, giving most government agencies low grades. "I'm proud to announce the formation of the industry-led CISO Exchange, a public-private initiative focused on empowering CISOs," Committee Chairman Davis said in a news release Feb. 16. Davis said the group, in addition to discussing best practices, would produce an annual report on federal IT security.Davis also announced that he and the CIO Council would co-chair the CISO Exchange, represented, respectively, by Government Reform Committee staff director Melissa Wojciak and Hitch. Stephen O'Keeffe, founder of public relations firm O'Keeffe & Company, Alexandria, Va., arranged a press conference at the FOSE 2005 trade show April 5 to announce the other advisory board members: six federal chief information security officers from the departments of Homeland Security, Defense, State, Treasury, Justice and Housing and Urban Development, and "industry fellow" Ken Ammon, president of government solutions for NetSec Inc. of Herndon, Va. The advisory board would be chaired by Hitch and Wojciak as well, the April 5 press release said.The group will hold four meetings a year, closed to the public, O'Keeffe said.O'Keeffe also said he is serving as the exchange group's manager, paid with an hourly fee. The CISO Exchange is a "holding company" of his management firm, O'Keeffe said. Integrators and IT solutions providers are invited to pay $75,000 for a seat on the advisory board, while vendors and other industry participants can pay either $25,000 or $5,000 for reduced levels of participation ? but with no access to the meetings except for a few winners of a lottery, he said.Less than three days after the FOSE announcement, Davis stepped back."After learning more about recent developments pertaining to the CISO Exchange, Davis is in the process of re-evaluating his relationship to the program," Marin said, adding that Davis is concerned about the $75,000 fee. "We don't want any role or input in any fees," he said. Davis "wants to make absolutely sure that no one infers that the committee's name or resources are being used to support a commercial endeavor, or that the committee's role will imply that any work product produced will somehow have the committee's imprimatur on it," Marin said.Davis also is worried that the structure of the exchange may appear to give some industry participants exclusive access to him. Davis does not want "any would-be sponsor to believe that sponsoring the exchange means they will have an inside track to him or committee staff," Marin said."We're working on a way to address these concerns while continuing to support the exchange and its important goals," Marin said. "He is not resigning, per se; that would imply he wants nothing to do with the exchange. In fact, he plans to address the group, and a staff designee will participate in as many meetings as possible."O'Keeffe said the group's structure is needed to break through a longstanding stalemate in improving federal information security, reflected by the consistently poor report card grades for such efforts given by Davis' committee. "We've been at the status quo too long," O'Keeffe said. "The CIO Council is frustrated. The CISOs are frustrated. We need to provide a forum to move this forward. "We've made every effort to structure this appropriately," O'Keeffe said. "The fellows are integrators and service organizations, not vendors," to avoid vendor bias. Furthermore, he said, "this is not a policy group, it's operational."Pay for play?But several academic and industry experts say it's questionable to charge a high fee to industry participants in a public-private partnership with top-level government officials."If the government and Congress want to meet, that's fine, but why do they want to charge the private sector $75,000 to show up?" asked Steven Cohen, vice dean of Columbia University's School of International and Public Affairs. "In New Jersey, that would be called pay for play."The problem is you have important government officials showing up, lending time to a profit-making enterprise. That's a potential ethical breach," Cohen said.Bob Woods, executive chairman of the Industry Advisory Council, an industry group representing IT companies, said he was troubled by the idea of closed meetings and high fees."These are closed meetings where you pay your way in, and [there is] a mix of people doing oversight and the people overseen," Woods said. "The atmospherics don't look good." However, he said, "I don't want to be too critical without knowing more about the group."On April 12, Woods said he was approached by several government officials, some of whom are members of the CISO Exchange, and asked informally to help salvage its mission by creating a Shared Industry Group within the council. The board was to begin considering the idea last week.Compare and contrastO'Keeffe, in defending the exchange, repeatedly compared it to the FOSE trade show and other events that bring together industry and government executives."The CISO Exchange represents a new model in public-private interaction and collaboration, and we are very proud of the construct," O'Keeffe said. "There is a clear precedent for government executives participating in private sector, sponsor-funded initiatives."FOSE charges industry members for advertising and exhibiting at the convention center, where exhibitors hope to attract the attention of more than 20,000 government IT employees and contractors who attend the trade show. But FOSE has no advisory board, said David Greene, president of PostNewsweek Tech Media, which owns FOSE and publishes Government Computer News and Washington Technology. "What industry is buying is a chance to be at the conference, not an opportunity to sit on any board," Greene said.O'Keeffe also claimed a Washington Technology reporter was "conflicted" in writing about the CISO Exchange because of the newspaper's ownership by the same company that owns FOSE."We're a media company with a well-established model," Greene said. "The editorial operations are independent of the advertising operations, and we take that traditional Chinese Wall very seriously here."Marin said Davis did not create the group under the committee's or his own official authority, but rather was approached by the private sector and asked to participate in the group. "The chairman saw it as an opportunity to foster an exchange of ideas," he said.However, the group's structure that evolved between February and April "is, frankly, not what we expected," Marin said. "We envisioned it as an informal gathering or a lunch."Marin said that Davis now wants to make sure that the exchange is not perceived as "an exclusive entity to control access to the chairman, his staff or the work product. That clearly creates problematic issues," Marin said."We want to continue to support it, but to make sure of the appropriateness," said Marin."The chairman is still supportive, and we're very supportive of the chairman's position," O'Keeffe said. Staff Writer Alice Lipowicz can be reached at alipowicz@postnewsweektech.com. GCN Senior Writer Patience Wait contributed to this story.