Risk Assessments

IT Security Jitters: Staff Vs. Execs

Survey: Fed IT Staffers More Anxious About Attacks than Executives
IT Security Jitters: Staff Vs. Execs
Federal government IT security specialists working in the trenches seem more concerned than IT executives about their agencies' ability to withstand a cyber attack, according to a survey released Wednesday.

"In general, senior-level executives in the federal government are more confident than their staff in their organizations' ability to achieve their security objectives," according to Security in the Trenches: Comparative Study of IT Practitioners and Executives in the U.S. Federal Government. "The widest gaps between these two groups occur within organizations with the most pessimistic beliefs and perceptions about security. These agencies are the Department of Homeland Security, Health and Human Services and Department of Defense and these may be the most vulnerable to attacks."

Larry Ponemon, chairman of the Ponemon Institute, an IT security and privacy research organization that conducted the survey of 321 federal government IT professionals for the software company CA, said the discrepancies could have an adverse impact on an agency's ability to properly secure its IT environment and manage risk

Where was the gap?

The biggest differential, 20 percentage points, was found on how each group perceived whether security program were adequately managed (staff 43% vs. 63% management).

In one area after another, rank-and-file employees had a more pessimistic view than executives. Nineteen percentage point gaps between staffers and management were found in hiring and retaining highly qualified IT security personnel and securing sensitive or confidential information at rest; 18 percentage point differentials were found in complying with all legal requirements, conducting independent audits, preventing or curtailing viruses and malware infections and identifying and authenticating users before granting access to information assets or IT infrastructure.

Why the gap?

"Executives tend to see the big picture, whereas the IT staff-level sees a more focused view," Gilda Carle, a relationship expert who has worked with the Army, Internal Revenue Service, and IBM, said in a statement issued by the Ponemon Institute. "The difference in viewpoints can greatly affect how well an organization achieves its objectives. CBS has even created a No. 1 hit based on this principle called Undercover Boss, where bosses become part of the rank and file, and everyone learns what life is like from the other side."

Among the survey's other key findings:

  • Employees and managers from departments such as Homeland Security, Health and Human Services, Justice and Treasury were more concerned about their agencies withstanding an attack or complying with standards such as the Federal Information Security Management Act than those from agencies such as the Postal Service, Veteran Affairs and State.
  • Non-managers are much more likely to see the need for privileged user management solutions than IT executives. The survey authors suggest IT executives in government may not place sufficient priority on controlling those users who have widespread access rights to the most sensitive or confidential information resources and critical infrastructure.
  • Rank-and-file employees are much more likely to see the need for security training and awareness activities than the senior managers, suggesting executives may be less aware of employee negligence, mistakes or non-compliance with procedures than those doing the work.
  • IT senior managers perceive a limited number of security threats and see certain risks at a lower level of intensity than rank-and-file employees. "Executives appear to be focused on lost or stolen information assets, computers and endpoint security issues rather than systemic system attacks," the report's authors wrote. "On the other hand, rank-and-file employees acknowledge a wider set of issues, including database security and off-line devices."
  • IT executives are consistently more positive than their IT and information security staffs about the effectiveness of specific security procedures and tasks that are deployed. The widest gaps concern identity and authentication of users before granting access to information assets or IT infrastructure.
  • Staffers are much more likely than managers to see the necessity of certain enabling technologies to reduce or mitigate security risks within their organizations. The technologies with the widest difference include identity and access management systems, firewalls, database security tools, and anti-virus/anti-malware tools.
  • Rank-and-file employees are much more likely than executives to see organizational issues as barriers and challenges that affect the management of privacy, data protection and information security requirements and objectives.

Ponemon Institute polled an independent sample of 320 IT and IT security practitioners located in various federal departments and agencies.

About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.