Data Threat Reports Highlight US Federal IT Security Challenges and Concerns
It is cyber security report season, or as many Chief Information Security Officers (CISOs) may call it, “The OMG! Season.” And, two reports should be of interest to Cyber Security Trend Community members in the U.S., particularly those who deal with the federal government, are the:
- U.S. Federal Government Edition of the 2016 Vormetric Data Threat Report (DTR). (Click here for report).
- Annual Report to Congress: Federal Information Security Modernization Act (FISMA), Office of Management and Budget (OMB), March 18, 2016. (Click here for report).
It is hard to tell which is more sobering considering that the U.S. is seen as being better prepared than most countries.
The professionals speak
Let’s start with the Vormetric (recently acquired by security solutions giant Thales) report, which was done in conjunction with analyst firm 451 Research who polled 1,100 senior IT security executives at large enterprises worldwide, including over 100 in U.S. Federal Government organizations. This edition of the fourth annual DTR extends earlier findings in the global report, and cloud, big data and IoT edition. The findings represent responses from IT security leaders in U.S. federal agencies. They provide granularity on respondents’ perceptions of threats to data, rates of data breach failures, data security stances and IT security spending plans.
Below are the key findings:
- 90 percent feel vulnerable to data threats.
- 61 percent have experienced a past data breach, with nearly one in five indicating a breach in the last year.
- Skill shortages at 44 percent, and budgets at 43 percent, are identified as top barriers to adoption of better data security.
- In spite of news stories highlighting nation state hacking, the top external threat actors identified were cybercriminals at 76 percent, with nation state hackers a distant fourth at 47 percent.
- Bright spots include 58 percent increasing spending to offset threats to data, and 37 percent increasing spending on data-at-rest defenses this year.
"The results showed that Federal IT Security professionals are like generals fighting today's wars with the weapons of yesterday," said Garrett Bekker, senior analyst information security, 451 Research. "As an example, spending intentions reflected a tendency to stick with what has worked in the past, such as network and endpoint security technologies that offer little help in defending against multi-stage attacks. Clearly, there's still a big disconnect between what we are spending most of our security budget on and what's needed to ensure that our sensitive data remains secure."
While the spending areas are going to be of interest to vendors selling to the federal government, one of the most interesting pullouts was the finding that, “Compliance is still a driver – but compliance is not enough.” As the authors note, “Slow moving compliance standards consistently fail to stop today's multi-level, multi-phase attacks. As we have learned from data theft incidents at companies that had reportedly met compliance mandates (such as Target), being compliant doesn't necessarily mean you won't be breached and have your sensitive data stolen. Yet 57 percent of U.S. federal respondents view meeting compliance requirements as a 'very' or 'extremely' effective way to protect sensitive data.”
The identification of a skills shortage and budgetary constraints will come as no surprise to community members as sponsor (ISC)2 has documented. It should also not be surprising that concerns about privileged user access, contractor access, and the larger obsession with cybercriminals as opposed to nation state hackers are dominant themes, along with the governments’ relatively insecure posture when it comes to the cloud, Bid Data and the Internet of Things (IoT). As the authors say, “The U.S. federal agencies are doing many of the right things—they just need to do more.”
Feds do not make the grade on cyber security
The views by the insiders in the Vormetric interviews are problematic enough, but the assessment in the OMB report is downright scary. The 95 page report is not exactly bedside reading, but one does hope that the right people in the government and in the U.S. Congress do spend some time with it.
Without going into the details, as a posting on the prestigious The Hill, by Jacob Olcott, notes, “Out of the 24 large agencies evaluated, the General Services Administration was the only agency to earn an A grade (a 91, on a scale of zero to 100). This was a significant decrease from 2014, when eight agencies earned A grades.”
Olcott, who in a previous life served as a legal advisor to the Senate Commerce Committee and as counsel to the House of Representatives Homeland Security Committee, has three recommendations worth considering.
- The government needs to modernize its data collection process
- The government needs to reassess the accuracy of the data that it is collecting
- The government must create more useful metrics to better evaluate the effectiveness of an agency’s program.
These all may seem to be common sense, but that does not mean they are easy to implement. This is particularly true given this is about changing the way business is done in the government. That said, if the two reports combined can serve as tools for U.S. IT professionals to gain better traction for investing in the right things, they will have provided a valuable public service. In fact, they really do make for nice companion pieces.
Edited by Maurice Nagle