Think Information. Think Security.
No! Don't tell me they joined Anonymous already.

The situation described below is not only true to the United States, but is likely the same story else where. If this situation continue to exist, what defense do we have against the growing sophistication of threats that we are currently confronting?

Half of information security practitioners working for federal, state and local governments believe a shortage of qualified IT security professionals places government IT systems at risk, according to a 2011 survey conducted by 

This is one of the key findings included in the new report on The State of Government Information Security Today survey.

The 2011 survey of 205 government IT security professionals also reveals that by a 2-to-1 margin they feel it is difficult or somewhat difficult to recruit qualified infosec experts to hire. "Finding qualified IT security specialists is one of the biggest challenges facing governments at all levels," an analysis of the survey says. "It's a two-edged sword. First, there are just not enough IT security experts - especially with highly valued technical skills. Second, government salaries cannot match those offered by the private sector."

The survey gauges the attitudes of government IT security practitioners on the current state of government IT security, exposes barriers they must clear to do their jobs effectively, identifies services and technology they need to safeguard IT and determines the comfort level they have with cloud computing, a platform many see as being a dominant one in the years to come.

Among key survey findings:
  • Enemy from Within: Two-thirds of respondents blame poorly trained and careless employees for a lack of security; half say the inside threat and poor practices pose the greatest menace to government agencies' IT systems. The enemy is within. And, if not the enemy, the vulnerability is clearly from within the agencies. The non-malicious threat is of equal concern, if not more so, than those who intentionally would do harm. "Individuals may do something accidently, not intentionally; however, the consequence would be the same if it were intentional," says Multistate Information Sharing and Analysis Center founder Will Pelgrin, the former New York State chief information security officer.
  • Limited Resources: More than half our respondents say their agencies' IT security budgets represent no more than 2 percent of the overall IT budget. As a comparison, in 2010, Gartner estimated that, on average, private-sector businesses allotted 5 percent of their IT budgets to security. Among government agencies, our respondents report, fewer than one-quarter in 2010 designated 5 percent or more of their IT spend to security.
  • Spending Plan: Thirty percent of respondents list new technologies, staffing and contractors/third-party services as their top spending priorities. About 20 percent name cloud computing, access and identity managementencryption and securing mobile devices as their top security priorities for the coming 12 months.
  • Data Vulnerability: Nearly 60 percent of our respondents say they lack confidence that data can be secured. "Until specific guidance and processes are developed to guide the agencies in planning for and establishing information security for cloud computing, they may not have effective information security controls in place for cloud computing programs," says Gregory Wilshusen, Government Accountability Office director of information security issues.
  • Security Enforcement Concerns: Though concerns such as data loss - 56 percent - and mixing data with other cloud users - 49 percent - are considerable, the managerial and compliance aspect of cloud computing concerns of our respondents. Sixty-nine percent of our survey takers say their biggest concern with cloud computing is their ability to enforce security policy. "It turns out for risk management and compliance purposes, knowing where a piece of data is on the planet must be really, really important, especially if you don't want to violate laws or you want to deal with regulatory compliance," says Bret Hartman, chief technology officer of RSA, the IT security arm of storage vendor EMC.
  • Lack of Focus: Two-thirds of the surveyed government IT security practitioners say the federal government has not placed enough emphasis on cybersecurityHarry Raduege, a retired Air Force general who ran the Defense Information Systems Agency and co-chaired the Commission on Cybersecurity for the 44th Presidency, says the Obama White House has done more than any other administration in addressing the nation's cybersecurity challenges, yet its work has not been sufficient.
Cross post from GovInfoSecurity

Leave a Reply.