Federal information technology officials gave themselves higher marks in information security compared with their counterparts in state and local governments and industry, according to a survey sponsored by a security software vendor. But the report showed the federal government still was behind in actually locking down systems.
Comment on this article in The Forum.According to a survey conducted by Symantec Corp. in April, 77 percent of federal survey respondents gave their agencies top marks in the overall level of IT security compared with 52 percent of state and local government officials and 58 percent of industry executives.
Listen to a podcast discussion with Symantec's McCumber on the study's findings."Important to keep in mind is that the [survey findings] are self-referential, where the survey was asking how the respondents perceive themselves," said John McCumber, strategic programs manager at Symantec. "They feel comfortable."
Part of the reason for federal IT managers' comfort is the amount of security training agencies participate in and the number of threat reports they complete. According to the survey, 63 percent of federal respondents participated in cybersecurity training exercises compared with 39 percent in the private sector and 32 percent in state and local governments. In addition, 64 percent of federal IT managers used automated threat reporting to track cybersecurity threats compared with 44 percent in the private sector and 38 percent in state and local governments. About three-quarters of federal IT managers shared cyber threat information with other federal managers, while only 50 percent of IT managers in state and local government and industry shared such data with peers.
The emphasis on training and reporting is largely due to the 2002 Federal Information Security Management Act, which requires chief information officers and inspectors general to conduct annual reviews of their agencies' information security programs and requires agencies to document and implement procedures for detecting, reporting and responding to security incidents. The law also requires agencies to notify the U.S. Computer Emergency Readiness Team about any security breaches.
"Agencies have preparedness exercises; they have automated threat and vulnerability reporting," McCumber said. "But we need to get to a dynamic process. We've moved from knee-jerking to fear, uncertainty and doubt. But we need better tools that offer more granular capabilities. That way, when government comes up with a policy, the rules can be put into the interface and enforced through the technology. The current process is static."
When survey respondents were asked how secure their computer systems were, federal IT managers rated their networks less secure than their counterparts. Sixteen percent of federal respondents said they had the most success in safeguarding databases compared with 18 percent of IT managers in state and local governments and 21 percent of private sector IT executives citing the most success in securing databases. Similarly, 14 percent of federal respondents said they had the most success in improving their ability to monitor threats compared with 16 percent in state and local governments and 20 percent in the private sector.
Alan Paller, director of research at the SANS Institute, a nonprofit cybersecurity research organization in Bethesda, Md., who has been critical of how the federal government approaches cybersecurity, said the federal government lags industry, particularly the financial sector, in properly securing networks.
"Banks are definitely further along," he said. "The banks spend on identity management staff that can do penetration testing and application security -- not compliance and report writing, which eats up a huge amount of money in federal government."
Symantec surveyed online 600 federal, state and local government and private sector executives to gauge respondents' level of confidence in how secure their networks were and what their priorities were. All respondents expressed concern about the potential for data breaches, as well as the increased security risk that emerging technologies such as mobile devices presented. All respondents named budget, education and implementation of effective security tools as the biggest challenges to improving information security. The degree of collaboration between the public and private sectors also was low, according to the survey, with less than 50 percent of respondents in both segments saying they shared threat incidents.