Federal IT Execs, Staff Disagree On Cybersecurity

Study notes big gaps between IT management and staff perceptions of federal cybersecurity readiness, needs.
Senior-level federal IT managers and IT staff aren't at all on the same page when it comes to their assessments of the federal government's cybersecurity needs and chances for success, according to the results of a comparative study.

The study, sponsored by CA and independently carried out by the Ponemon Institute, compared the results of two recent, identical surveys and found that federal IT staff are less likely than management to agree with the statement that their agencies have strong IT postures. Staff also generally have less confidence in their agencies' abilities to accomplish any number of security objectives. Conversely, staff are more likely to label certain security technologies as "very important" than IT executives are.

"Gaps between an organization's leadership and people on the proverbial 'front lines' may lead to difficulties in managing threats, misallocating resources, and missing opportunities to meet mission-critical objectives," Poneman Institute chairman and founder Larry Poneman wrote in the report. "Experience shows that a lack of congruence between executives and rank-and-file staff make it difficult to execute security strategies that protect an organization from serious attack."

Across the board, federal IT staff are less confident that their agencies can meet key IT security objectives. For example, while 63% of IT managers think their agency can ensure its security program is adequately managed, only 43% of staff believe the same thing. There's a similar gap as to whether agencies can hire and retain qualified cybersecurity pros, secure sensitive or confidential information at rest, comply with legal requirements, and conduct effective independent audits.

There are also divergent views on which threats are the most serious. Rank-and-file employees rank databases as second on a list of the most serious threat locations to privacy and data security, with 59% citing databases as a location of serious threats. However, execs rated databases as fourth on the list, with only 25% citing databases as a serious threat location. Only 6% of execs cited offline data-bearing devices as a serious threat, as opposed to 28% of IT staff. That said, there was general agreement that wireless devices represent the largest threat.

The two groups also had differences in their assessment of the most important security technologies. Executives saw intrusion detection and prevention systems, data loss prevention systems, and anti-malware as the most important cybersecurity technologies, while staff pegged firewalls, database scanning and monitoring, and anti-malware. There were 26% and 20% more staff than IT execs that said firewalls and database scanning and monitoring technologies were important, respectively.

In general, there were even greater gaps in terms of identity and access technologies and system control activities (like training and auditing). For example, while 62% of federal IT staff judged privileged password management as "very important," only 31% of executives agreed.

While federal IT managers say lack of enforcement causes incompliance with federal cybersecurity regulations, IT staff lay the blame squarely at the foot of management. Managers pegged lack of enforcement, by a wide margin, as the primary reason why organizations fail to meet regulatory requirements when it comes to cybersecurity -- 46% called it out -- but only 12% of IT staff said the same thing. Instead, IT staff pointed to a lack of accountability and leadership and a lack of support from management.