Government IT pros say a network hack would be worse than ...
Most government IT professionals − by a wide margin − would rather be trapped in an elevator for 24 hours than have their networks hacked, according to a recent survey.
This could explain why cybersecurity is listed as the top area for expanded IT spending in the coming year, with 59 percent saying they expect increased security spending, topping cloud computing by 14 percentage points.
The results from a survey of 400 federal, state and local government officials conducted for Cisco underscore the foundational importance of cybersecurity. Being stuck in an elevator would ruin your day. A breach of your network or data could ruin your career − and 71 percent said they’d rather be stuck in the elevator. If your security does not work, nothing else really matters.
Feds tend to be more conscious of this than those in state and local government. Improving security is the second place technology goal in the overall survey at 22 percent, behind reducing costs (28 percent), but security is tops in the federal sector. Budget constraints are the top threat to IT infrastructure, at 35 percent overall, and cyberattacks come in second, at 17 percent, but attacks are seen as a bigger threat in the federal sector than among state and local organizations. This does not necessarily mean that federal networks are more vulnerable than those in state and local systems, but the U.S. government is a high-profile target for hacktivists, criminals looking for valuable intellectual property and other nations engaged in espionage.
Cybersecurity professionals are in an almost no-win situation. In just about every assessment of security they come up looking bad. If they are graded on compliance with regulations, they are told that they are ignoring real-world security. If they focus on practical security, compliance is likely to slip. And complete security is impossible in a dynamic environment in which the functionality and configuration of hardware and software change on a daily basis. The best they can do is manage an acceptable risk. But no risk looks acceptable after a breach.
The professionals surveyed know that there is no simple answer to improving cybersecurity. Twenty-one percent of them listed better technology as the most effective way to improve security, followed by better enforcement of policies at 18 percent and better employee training at 15 percent. But most of them refused to single out one factor for improvement; 42 percent said that all three were equally important.
One factor not addressed in the survey is stability. It is hard to secure a system while ensuring its operational availability to users when you don’t know from day to day, let alone year to year, what financial and manpower resources are going to be available. The chaotic state of government over the last few years, illustrated most recently by the government shutdown forced by political hostage-taking, erodes IT security along with every other measure of performance. I imagine that if it had been offered as a choice in the survey, a rational Congress would top the wish list for IT professionals.
Posted by William Jackson on Oct 07, 2013 at 11:21 AM