Dearth of Experts Puts IT at RiskGauging Attitudes of Government Security Practitioners
This is one of the key findings included in the new report on The State of Government Information Security Today survey.
The 2011 survey of 205 government IT security professionals also reveals that by a 2-to-1 margin they feel it is difficult or somewhat difficult to recruit qualified infosec experts to hire. "Finding qualified IT security specialists is one of the biggest challenges facing governments at all levels," an analysis of the survey says. "It's a two-edged sword. First, there are just not enough IT security experts - especially with highly valued technical skills. Second, government salaries cannot match those offered by the private sector."
The survey gauges the attitudes of government IT security practitioners on the current state of government IT security, exposes barriers they must clear to do their jobs effectively, identifies services and technology they need to safeguard IT and determines the comfort level they have with cloud computing, a platform many see as being a dominant one in the years to come.
Among key survey findings:
Enemy from Within: Two-thirds of respondents blame poorly trained and careless employees for a lack of security; half say the inside threat and poor practices pose the greatest menace to government agencies' IT systems. The enemy is within. And, if not the enemy, the vulnerability is clearly from within the agencies. The non-malicious threat is of equal concern, if not more so, than those who intentionally would do harm. "Individuals may do something accidently, not intentionally; however, the consequence would be the same if it were intentional," says Multistate Information Sharing and Analysis Center founder Will Pelgrin, the former New York State chief information security officer.
Limited Resources: More than half our respondents say their agencies' IT security budgets represent no more than 2 percent of the overall IT budget. As a comparison, in 2010, Gartner estimated that, on average, private-sector businesses allotted 5 percent of their IT budgets to security. Among government agencies, our respondents report, fewer than one-quarter in 2010 designated 5 percent or more of their IT spend to security.
Spending Plan: Thirty percent of respondents list new technologies, staffing and contractors/third-party services as their top spending priorities. About 20 percent name cloud computing, access and identity management, encryption and securing mobile devices as their top security priorities for the coming 12 months.
Data Vulnerability: Nearly 60 percent of our respondents say they lack confidence that data can be secured. "Until specific guidance and processes are developed to guide the agencies in planning for and establishing information security for cloud computing, they may not have effective information security controls in place for cloud computing programs," says Gregory Wilshusen, Government Accountability Office director of information security issues.
Security Enforcement Concerns: Though concerns such as data loss - 56 percent - and mixing data with other cloud users - 49 percent - are considerable, the managerial and compliance aspect of cloud computing concerns of our respondents. Sixty-nine percent of our survey takers say their biggest concern with cloud computing is their ability to enforce security policy. "It turns out for risk management and compliance purposes, knowing where a piece of data is on the planet must be really, really important, especially if you don't want to violate laws or you want to deal with regulatory compliance," says Bret Hartman, chief technology officer of RSA, the IT security arm of storage vendor EMC.
Lack of Focus: Two-thirds of the surveyed government IT security practitioners say the federal government has not placed enough emphasis on cybersecurity. Harry Raduege, a retired Air Force general who ran the Defense Information Systems Agency and co-chaired the Commission on Cybersecurity for the 44th Presidency, says the Obama White House has done more than any other administration in addressing the nation's cybersecurity challenges, yet its work has not been sufficient.
More details on the survey can be found in a 48-page report, The State of Government Information Security Today.
A webinar based on the survey also features a round-table discussion among four prominent information technology policy leaders: U.S. Cyber Challenge National Director Karen Evans, who served as the nation's top IT official during the Bush administration; Melissa Hathaway, who ran President Obama's cyberspace policy review; Nevada state Chief Information Security Officer Chris Ipsen; and cloud computing expert Tom Soderstrom, chief technology officer at NASA's Jet Propulsion Laboratory.