Survey shows little confidence in FISMA's effectiveness.
With recent research highlighting compliance burdens as a top concern among IT workers, there’s little surprise in a new report that found federal cybersecurity professionals are putting little faith in compliance measures designed to improve information security and protect data.
A survey of 203 federal cybersecurity professionals by MeriTalk and NetApp found that respondents lack confidence in the Federal Information Security Management Act. Only half (53 percent) of cyber pros said FISMA has improved security at their agency, although just 27 percent said they are perfectly compliant with the law. The bulk of federal cyber workers (86 percent) also said that FISMA compliance increases costs.
While federal agencies are facing threats from every angle, respondents noted that insider threats (64 percent) continue to pose the greatest vulnerabilities, followed by non-state actors (60 percent) and state-sponsored threats (48 percent).
More than half of respondents also said their agency is either overloaded or cannot keep up with the amount of data crossing their network today, a burden that’s sure to become heavier, as many expect the data their agency must protect to grow by 47 percent by 2015. More than two-thirds (73 percent) believe their security solutions are not sufficient or will not be sufficient beyond the next year.
Most (83 percent) believe continuous monitoring will improve security at their agencies, though one-quarter (24 percent) said they lack the capabilities and resources to effectively execute continuous monitoring.
Despite the lack of confidence in FISMA among cyber pros, technology (36 percent) was still considered the greatest threat to improving cybersecurity, followed by policy (23 percent), culture (22 percent) and leadership (17 percent).
Going forward, cybersecurity professionals want larger budgets, fewer compliance burdens, improved technology and well-trained personnel. This may require the government to consider alternatives to FISMA and for agencies to begin looking at the entire infrastructure, including network and data management, to ensure secure systems. Agency leadership also needs to support cybersecurity professionals to make positive changes to how federal employees train, manage and internalize cybersecurity controls, according to the report.