TRENDING:

CISOs Paint Gloomy Picture of State IT Security

NASCIO Survey: Spending Cuts Make It Tough to Secure IT Systems Eric Chabrow (GovInfoSecurity) • September 28, 2010    
CISOs Paint Gloomy Picture of State IT Security
A survey of officials responsible for securing state government IT paints a gloomy picture of the current condition of information security.

The tough economy has debilitated state government, and many states continue to reel under budget deficits, which have an adverse impact on the ability of states to secure their digital assets, according to the 2010 Deloitte-NASCIO Cybersecurity Study unveiled Tuesday by the National Association of State Chief Information Officers and the management consultancy Deloitte.

Nearly nine of 10 respondents said the lack of funding is the biggest barrier to securing their states' IT systems. And, nearly eight of 10 respondents said their states' IT security budgets have been cut or remained the same from the previous year. "Unprecedented budgetary cuts across state governments and growing reliance on contractors and outsourced IT services are creating an environment that is even harder to secure," NASCIO President and Utah CIO Steve Fletcher said in a statement that accompanied the release of the study.

That's in sharp contrast to what's occurring in business; another Deloitte study shows that spending on IT security in the financial services industry rose during the economic downturn. "Research suggests that in lackluster economies, the security environment gets more dangerous," the report states. "With this in mind, it may not be the right time to cut security funding, given current risks."

After the budget, the next closest obstacle seen threatening state IT was the increasing sophistication of threats, chosen by 56 percent of state IT security officers, followed by inadequate availability of security professionals (40 percent), lack of support from business stakeholders (38 percent) and lack of visibility and influence within the enterprise (38 percent).

The CISOs and CIOs surveyed, as a group, didn't show much confidence in their ability to protect information assets from threats. Just over one-third of respondents said they were very or extremely confident in safeguarding data from external threats; they showed even less confidence in protecting information from internal threats, only 13 percent said they were very or extremely confident.

Fifty-five percent reported that they had at least one accidental breach of information originating from inside their enterprises such as the loss of unencrypted laptop and hard drives; another 40 percent said malicious software found on state computers originated from inside the enterprise; and 36 percent blamed employees for information breachs such as abusing privileged access or phishing e-mail.

All but one state participated in the survey, and among its main findings:

  • The enterprise CISO position is firmly established in the majority of states. To be successful, the researchers recommend, CISOs must continue to evolve this position to garner enterprise visibility, authority, executive support and business involvement.

  • States increasingly embrace strategic planning as part of their cybersecurity approaches and are converging on the National Institute of Standards and Technology risk assessment framework for strategic alignment. But, the report's authors caution, compliance to the NIST framework is unlikely to be achieved without compliance audit and enforcement requirement such as those detailed in the Federal Information Security Management Act that governs IT security in the federal government.

  • Security budgets and resources available to state CISOs lag behind those of their private-sector counterparts, a gap that is seen widening as businesses invest more on IT security.

  • Threats to personal identifiable information and personal health information are growing from internally and externally. States are in the early stages of establishing programs and deploying technology to protect sensitive data.

  • States employ the services of contractors, managed service providers and other third parties to deliver sensitive and critical constituent services, though managing the security of these third-party providers may not be keeping pace with the escalation of threats.

The dire situation many states face seems unending, as one state CISO told researchers: "On any given day, I deal with new viruses, zombie networks, phishing and pharming scams, foreign espionage, financial fraud and serious vulnerabilities introduced from the latest social networking or technological gadget on the market. My day feels like an over-the-top suspense movie."

Previous
PCI Details Expected in October
Next
Overcoming Fear of the Cloud

About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.



Around the Network

Properly Vetting AI Before It's Deployed in Healthcare
Properly Vetting AI Before It's Deployed in Healthcare
Medical Device Cyberthreat Modeling: Top Considerations
Medical Device Cyberthreat Modeling: Top Considerations
Protecting Medical Devices Against Future Cyberthreats
Protecting Medical Devices Against Future Cyberthreats
Is It Generative AI's Fault, or Do We Blame Human Beings?
Is It Generative AI's Fault, or Do We Blame Human Beings?
Safeguarding Critical OT and IoT Gear Used in Healthcare
Safeguarding Critical OT and IoT Gear Used in Healthcare
Identity Security and How to Reduce Risk During M&A
Identity Security and How to Reduce Risk During M&A
Transforming a Cyber Program in the Aftermath of an Attack
Transforming a Cyber Program in the Aftermath of an Attack
How the NIST CSF 2.0 Can Help Healthcare Sector Firms
How the NIST CSF 2.0 Can Help Healthcare Sector Firms
Evolving Threats Facing Robotic and Other Medical Gear
Evolving Threats Facing Robotic and Other Medical Gear
How 'Security by Default' Boosts Health Sector Cybersecurity
How 'Security by Default' Boosts Health Sector Cybersecurity

Continue »

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.