2017 Key Findings for the Federal Sector
Over half of respondents (52 percent) indicate that regulations and mandates posed more of a challenge to managing risk.
· Respondents were twice as likely to feel that the Risk Management Framework posed a challenge to managing risk than to contributing to success.
· While respondents were generally more positive about the benefits of other security regulations (FISMA, NIST Framework for Improving Critical Infrastructure Cybersecurity, DISA STIGS, and HIPAA), many still believe that these mandates contribute to risk management problems.
· The majority (55 percent) of respondents feel that NIST’s Cybersecurity Framework has been successful in promoting a dialogue about managing risk, and more than eight in ten indicate their agencies are at least somewhat mature in each of the five areas of the Framework. Still, over a third (38 percent) agree that federal IT professionals don’t fully understand the Framework.
Compliance and risk management do not go hand-in-hand.
· Three quarters (75 percent) of respondents agree federal agencies are more proactive regarding IT security than they were five years ago.
· Though the majority (60 percent) agree that compliance has helped their agency improve its cybersecurity capabilities, seven in ten (70 percent) believe that being compliant does not necessarily mean being secure. Over half (54 percent) believe that security regulations and mandates can lead to complacency since tasks are performed to ‘check a box.’
Technology upgrades, cloud migration and network modernisation contribute to risk management challenges.
· Forty-three percent of respondents believe that IT modernisation efforts have contributed to successful risk management, but 34 percent indicate that these efforts have posed more of a challenge. Nineteen percent noted no change at all.
· Significantly more defense (51 percent) than civilian respondents (37 percent) indicate IT modernisation initiatives contributed to successfully managing risk.
· Only 20 percent of respondents believe cloud computing has contributed to improved risk management, while 68 percent believe cloud computing is posing more of a challenge or having no effect on an agency’s risk management posture.
· Two-thirds (66 percent) of respondents think that efforts to modernise networks have resulted in an increase in IT security challenges.
Careless or untrained insiders and foreign governments are noted as the largest sources of security threats at federal agencies.
· Fifty-four percent of respondents indicated that careless/untrained insiders represent the greatest security threat to their agency, up from 48 percent last year and the highest in four years.
· Foreign governments are again ranked number two as a source of security threats, as indicated by 48 percent of respondents.
· The threat of malicious insiders is also on the rise, up from 22 percent to 29 percent overall this year. Significantly more defense (40 percent) than civilian respondents (21 percent) indicate malicious insiders are a security threat at their agency.
High-performing agencies with excellent IT controls experience fewer cyberthreats, a faster response time, and more positive results from IT modernisation initiatives.
· High-performing agencies are more likely to indicate they have experienced a decrease in multiple cyber security threats in the past 12 months—double or triple the proportion of government agencies with less sophisticated IT control processes.
· Respondents that indicate their agency’s ability to provide evidence of IT controls as excellent or good are significantly more able than respondents who rate their agency’s ability as fair/poor to detect most security threats within minutes.
· High-performing agencies with excellent IT controls are more likely to note IT modernisation has successfully contributed to their ability to manage risk as part of its overall security posture relative to agencies rating their controls as fair/poor, 61 percent versus 36 percent, respectively.
“An important message in this year’s report is that government agencies need to develop strong IT controls,” said Joe Kim, EVP, Engineering and Global CTO. “Agencies that have adopted these practices see more benefits from their technology investments, are better prepared for security threats, and more successful managing risk during modernisation projects.”