Gov't Infosec Pros Question Fed's Security ResolveOur Survey: Washington Needs to Show More IT Security Leadership
Government IT security managers and professionals overwhelmingly believe the federal government does not place enough emphasis on cybersecurity, according to the inaugural State of Government Information Security survey, unveiled Thursday by GovInfoSecurity.com at the RSA2011 conference in San Francisco.
Two-thirds of the surveyed IT security professionals and managers working for federal, state and local governments responded "No" when asked whether the federal government placed enough emphasis on cybersecurity; 26 percent replied "Yes" and 7 percent had no opinion.
The survey findings suggest that government IT security practitioners - whether they work at the federal, state or local levels - want strong leadership from Washington, and aren't getting it. More than half say a White House cybersecurity official should have some budgeting authority, including 21 percent who feel that official should have veto power over agencies' IT security budgets.
"You look at the fact that we need resources, and we don't have resources, the obvious place we're going to turn to and follow, as far as guidance and best practices, are the people who have the money," says David Matthews, deputy chief information security officer for the city of Seattle, who helped present the survey at the conference. "If they got money to provide, then they're the people we're going to pay attention to."
The findings released at RSA2011 reflect only a portion of the topics covered by the survey, and more analysis of the findings will appear here in the coming days and weeks.
Another takeaway from the survey: Most government IT security practitioners believe cloud computing is not ready for primetime. Nearly 60 percent don't feel confident that sensitive data can be secured on the cloud. Many have doubts that even private cloud computing can be secured. At 69 percent, the biggest reservation government IT security practitioners have with the cloud is the inability to enforce security policies.
Among other key findings:
- One-third concede their agencies fail to do an adequate job to counter threats.
- Nearly one-third say their agencies experienced a significant breach in the past 12 months.
- Half see insider threats and poor practices as their greatest vulnerabilities.
- Nearly two-thirds see poorly trained and careless users as those posing the greatest threats.
- A majority of state and local IT security organizations - 41 percent among federal respondents - struggle to recruit and retain qualified security specialists, with a majority agreeing that the skills shortage puts their IT systems at risk.
- Three-quarters of local and state respondents believe their governments should be compelled to adhere to National Institute of Standards and Technology IT security policies, but only 43 percent say their organizations closely adhere to NIST standards.
- Access/identity management, cloud computing, encryption and secure mobility are seen as main technology priorities in the coming year.
GovInfoSecurity.com polled more than 200 IT security professionals working for local, state and federal governments over a three-week period ending Feb. 10.
In the coming weeks, we'll post more exhaustive results from the survey, including respondents' takes on the value of the Einstein intrusion detection systems, Trusted Internet Connection initiative, Federal Information Security Management Act compliance, IT security testing programs and awareness training.