William Jackson | Why security isn't easy
- By William Jackson
- Jun 02, 2008
A recent survey by Symantec comparing the perceptions of federal information technology and security specialists with those of their peers in state and local government and the private sector raises a couple of interesting points. The first is that the feds have a much higher opinion of their cybersecurity posture and appear to be setting an example for best practices. The second interesting point is that although everybody agrees on the need for better cooperation, these domains are sharing little information with one another.
The two points are not unrelated. Some of the factors that have given the feds reason to feel good about themselves also contribute to the difficulty of sharing cybersecurity information. It is an example of how difficult security can be and why it is likely to continue as a major challenge for a long time.
The survey questioned more than 200 officials in each of three sectors: federal, state and local, and private. When asked to rate the overall level of IT security in their organizations, 77 percent of the feds put it at an 8 or better on a 10-point scale, compared with 58 percent in the private sector and 52 percent in state and local government. Sixty-three percent of feds said they participate in security preparedness exercises (39 percent for the private sector and 32 percent for state and local), 64 percent of feds have automated threat-reporting capabilities (44 percent of private and 38 percent state and local) and 75 percent of feds exchange threat reports with other agencies (only 50 percent of private and state and local respondents share with peers).
This is in marked contrast with the poor assessments federal agencies often receive for their IT security efforts.
'The federal government tends to get a black eye,' said John McCumber, strategic program manager at Symantec. But, he added, 'I think they have done a good job of growing a number of gifted men and women who really are leaders' in recognizing threats and understanding the need for policies to protect data rather than focusing solely on the infrastructure.
This brings us to the other piece of information. Just about everybody feels there is a need for greater collaboration to secure cyberspace, but fewer than half of the respondents in each category said they are reporting threat incidents to the other sectors. The problem is those policies for protecting data that improved security in federal agencies.
The technology to securely share information exists. McCumber said the No. 1 reason he hears for why organizations are not using the technology is that 'once it leaves our agency, we can't enforce our policies on the data.' So information that could help others is hoarded.
The lesson is that you cannot solve technology problems with policy, and you can't solve policy problems with technology. You have to work on both sides of the equation, and that is a skill that too often is lacking. Despite the federal government's success in developing a generation of security people who appear to appreciate the demands and needs of policy in addition to technology, it still is difficult to straddle both worlds.
Some of the difficulties are being addressed as IT security becomes more professional with better training and educational programs and greater acceptance in the C-level suites of organizations. A more persistent difficulty is likely to be a lack of resources. Understaffed IT security shops will continue to focus on putting out fires and reacting to threats rather than taking a more proactive role within the organization. This means that it probably will be some time before issues such as normalizing requirements for data sharing can be addressed. And until they are, each sector will be left a little more vulnerable that it has to be.
William Jackson is a Maryland-based freelance writer.