Cry for Help from Gov't IT Security PractitionersFinding Meaning In Our Government Infosec Survey Results
What's most interesting about surveys aren't the raw numbers, but the meaning behind the data.
I presented the inaugural GovInfoSecurity.com State of Government Information Security survey at the RSA 2011 IT security conference on Thursday, and here are some of the results and the analysis I shared with attendees on what those numbers mean.
Question: Has the federal government placed enough emphasis on cybersecurity?
Answer: No, 67%, Yes, 26%, No Opinion, 7%.
Analysis: A few weeks ago, we published an item that carried the headline: Giving Obama a "D" in Cybersecurity. A group called the National Security Cyberspace Institute assessed the first two years of the Obama presidency, and issued the D because it took the president more than a half year to name a cybersecurity coordinator. Now, the rest of the report card wasn't as awful - it contained a smattering of B's and C's. Not being familiar with the Institute, I asked Melissa Hathaway to vet its findings, and she reported back: "I thought the report card was well researched and thoughtful."
And, earlier this month, the Commission on Cybersecurity for the 44th Presidency, issued its final report that the administration had addressed many of its recommendations made just after the 2008 election, but noted that the economy and two wars have distracted the president and his top aides from doing more. The commission co-chair, retired Air Force General Harry Raduege, told me that this White House has done more than any other administration in addressing the nation's cybersecurity challenges, yet its work has not been sufficient.
The belief that more must be done is reflected by the two-thirds of those we surveyed who feel the federal government - implicitly the Obama administration - has not placed enough emphasis on cybersecurity. And, the fact that Congress failed to enact cybersecurity reform last year doesn't help, either.
Question: Should a White House cybersecurity director have budgeting authority?
Answer: Yes, only advisory, 43%; Yes, with veto power; 21%, No, 28%; Don't know/no opinion, 8%.
Analysis: As you look at this question, forget for a moment, the words "White House." Substitute "DHS" or some other agency, if you will. The point of this question - Should a cybersecurity director have budgeting authority? - is telling. More than half feel he or she should.
That suggests that those IT security practitioners in the trenches seek leadership; they want someone to make the hard decisions on the direction government IT security is heading.
Question: What poses the greatest security threat?
Answer: Insider threat, 51%; Poor practices, 50%, Exploitable software vulnerabilities, 46%; Configuration errors, 38%; Malware, 31%.
Question: Who poses the greatest security threat?
Answer: Poorly trained/careless users, 65%; Insider employees, 55%; Insider contactors, 42%; foreign nations, 29%; terrorists, 9%.
Analysis Look at the data, and WikiLeaks comes to mind. The enemy is within. And, if not the enemy, the vulnerability clearly comes from within government agencies. Most threats are not from nefarious actors, but from careless users and poor practices. Government IT security practitioners don't get to pick their enemy; danger lurks everywhere.
Question: What are your biggest reservations about cloud computing?
Answer: Enforcing security polices, 69%; data loss prevention, 56%; mixing data with other users, 49%; continuity of operations planning, 27%.
Analysis: Though concerns such as data loss and mixing data with other cloud users are considerable, the managerial and compliance aspect of cloud computing concerns most of our respondents. By far, the biggest reservation they had with cloud computing is their ability to enforce security policy.
Our survey covered a lot more than what we presented at RSA and have posted online. We'll be sharing more results and analysis in the coming weeks.