[Survey] Regulations, Careless Insiders, and IT Modernization Complicate Federal Cybersecurity
Featuring insights from 200 civilian and Department of Defense (DoD) IT decision-makers, the survey explores the security challenges faced by public sector IT professionals, quantifies the sources and types of IT security threats, and evaluates the impact of IT modernization initiatives, mandates, and compliance on government security preparedness.
Below are the key findings for the federal sector:
Over half of respondents (52 percent) indicate that regulations and mandates posed more of a challenge to managing risk.
• Respondents were twice as likely to feel that the Risk Management Framework posed a challenge to managing risk than to contributing to success.
• While respondents were generally more positive about the benefits of other security regulations (FISMA, NIST Framework for Improving Critical Infrastructure Cybersecurity, DISA STIGS, and HIPAA), many still believe that these mandates contribute to risk management problems.
• The majority (55 percent) of respondents feel that NIST’s Cybersecurity Framework has been successful in promoting a dialogue about managing risk, and more than eight in ten indicate their agencies are at least somewhat mature in each of the five areas of the Framework. Still, over a third (38 percent) agree that federal IT professionals don’t fully understand the Framework.
Compliance and risk management do not go hand-in-hand.
• Three quarters (75 percent) of respondents agree federal agencies are more proactive regarding IT security than they were five years ago.
• Though the majority (60 percent) agree that compliance has helped their agency improve its cybersecurity capabilities, seven in ten (70 percent) believe that being compliant does not necessarily mean being secure. Over half (54 percent) believe that security regulations and mandates can lead to complacency since tasks are performed to ‘check a box.’
Technology upgrades, cloud migration and network modernization contribute to risk management challenges.
• Forty-three percent of respondents believe that IT modernization efforts have contributed to successful risk management, but 34 percent indicate that these efforts have posed more of a challenge. Nineteen percent noted no change at all.
• Significantly more defense (51 percent) than civilian respondents (37 percent) indicate IT modernization initiatives contributed to successfully managing risk.
• Only 20 percent of respondents believe cloud computing has contributed to improved risk management, while 68 percent believe cloud computing is posing more of a challenge or having no effect on an agency’s risk management posture.
• Two-thirds (66 percent) of respondents think that efforts to modernize networks have resulted in an increase in IT security challenges.
Careless or untrained insiders and foreign governments are noted as the largest sources of security threats at federal agencies.
• Fifty-four percent of respondents indicated that careless/untrained insiders represent the greatest security threat to their agency, up from 48 percent last year and the highest in four years.
• Foreign governments are again ranked number two as a source of security threats, as indicated by 48 percent of respondents.
• The threat of malicious insiders is also on the rise, up from 22 percent to 29 percent overall this year. Significantly more defense (40 percent) than civilian respondents (21 percent) indicate malicious insiders are a security threat at their agency.
High-performing agencies with excellent IT controls experience fewer cyberthreats, a faster response time, and more positive results from IT modernization initiatives.
• Respondents that indicate their agency’s ability to provide evidence of IT controls as excellent or good are significantly more able than respondents who rate their agency’s ability as fair/poor to detect most security threats within minutes.
• High-performing agencies with excellent IT controls are more likely to note IT modernization has successfully contributed to their ability to manage risk as part of its overall security posture relative to agencies rating their controls as fair/poor, 61 percent versus 36 percent, respectively.
“An important message in this year’s report is that government agencies need to develop strong IT controls,” said Joe Kim, EVP, Engineering and Global CTO. “Agencies that have adopted these practices see more benefits from their technology investments, are better prepared for security threats, and more successful managing risk during modernization projects.
Read the full SolarWinds 2017 Federal Cybersecurity Survey Report.