The greatest threat to federal IT security is not foreign nations or Advanced Persistent Threats. It is carless insiders. The biggest roadblock to securing federal networks is a lack of money and skilled personnel.
Those are among the findings from a recent survey of federal IT and security personnel by SolarWinds. Given the challenges of too few resources chasing too many priorities, it is not surprising that most respondents said new security mandates and IT modernization programs create more problems than they solve.
While there are some positive findings (three quarters of respondents said their agencies are more proactively managing IT security), the overall picture presented by the survey is one of an IT community trying to do too much with too little.
Some caveats. This was an online survey of 200 federal IT managers and workers. The report does not say how the respondents were selected or what the response rate was, so it is impossible to say how representative these responses are. It could be more anecdotal than statistically significant. But even if anecdotal there are some interesting insights.
Budget constraints was listed most often as they greatest obstacle to IT security, getting 30 percent of the responses, followed by competing priorities and initiatives at 16 percent. No surprises there. There is never enough money to go around. And the federal IT workforce has been recognized as a weak spot for years, so it is no surprise that a lack of skills was cited as a major problem in detecting and remediating problems.
What is unexpected is the extent to which the federal user is perceived as a threat. Fifty-four percent of respondents listed careless and untrained insiders as the greatest threat, and malicious insiders were named by 29 percent. That’s a whopping 83 percent, with the bumblers outscoring the malicious by almost two to one. Foreign governments scored only a respectable 48 percent. Clearly a lack of security training and awareness is seen as a real problem. And this problem apparently is getting worse. The perceived threat from careless insiders has increased steadily over the four years that the survey has been done, from 42 percent in 2014. And the number of respondents listing malicious insiders as the biggest worry has increased also, from 17 percent in 2014.
Generally, the survey indicates that security regulations and mandates are seen as posing more of a challenge than contributing to risk management. Security professionals understand the need for regulating and standardizing security, but they also understand that compliance does not equal security and that when resources are stretched too thin, every dollar and man-hour spent on compliance can come at the expense of addressing immediate problems.
In the same vein, 66 percent of respondents said network modernization has resulted in increased IT security challenges. The new technologies bring with them more vulnerabilities, which have to be addressed while legacy systems still are being maintained. There also is a lack of training in new technologies. This is disturbing because one of the drivers of IT modernization, along with improving economy and productivity, is improving security.
The bottom line for this survey seems to be that if leaders in the White House and Congress are serious about securing the federal IT infrastructure, they need to focus not on technology but on security budgets, hiring and training. These areas are not sexy and are easy to cut. But the cuts have consequences. As long as agencies do not have the money and resources to do the job, telling them to do more with less is not going to solve the very real cybersecurity problem.