Making Critical Connections for Better Security

By Stacey McDaniel

In the coming months, discussions about cybersecurity efforts within the public sector are likely to intensify. These discussions will be driven by progress on the comprehensive National Cyber Security Initiative, established in January by executive order. The Initiative, intended to lock down government networks so they are protected from IT threats, has sparked discussions about government information security vulnerabilities, including lack of information sharing.

To get a more accurate view of information security protection and priorities, the 2008 Critical Connections Study was conducted by O’Keeffe & Company in April 2008. The study captured the input of 600 IT executives in federal, state, and local government, as well as private sector organizations. The goal: to identify information security connections, disconnects and opportunities for improvement.

The findings provide an interesting glimpse into what your peers are thinking about, where security priorities lie and the common connections shared by every organization. The survey found that 68% of federal, 59% of private sector and 48% of state and local respondents call for increased collaboration to improve cybersecurity. In addition, 78% of private sector respondents say they want more information from the government on cyber threats.

Common connections
Some of the most prevalent security issues and concerns of all executives surveyed include:

• Rising risks Security incidents are on the rise, making IT security more important than ever. The survey indicated that 63% of the respondents reported increased threats in 2007, and 82% of the respondents are placing a higher priority on information security this year.
• Data breach fears When it comes to potential security threats, all groups fear data breaches the most. In fact, 78% of the federal government executives and 60% of the state and local executives cited data breaches as the No. 1 security priority.
• More than money It is a common perception that budget constraints are the main reason why organizations lack proper security. However, the study found that it’s not just decreasing budgets that impact security initiatives. Lack of IT education and failure to implement the right tools and technology were a close second and third, as barriers to security for all respondents.
• Building security All sectors surveyed have tried to improve security over the past year. For government organizations, database security was an area that met with the most success. Threat monitoring and management along with security training also met with success last year.
• Questionable spending priorities Mobile security is a growing security concern but is not being adequately addressed with security spending allotments. The survey found that 52% of federal and 34% of state and local IT executives view mobile security as a critical security issue. In contrast with this priority and an increasingly mobile workforce, just 25% plan to increase mobile-security spending in 2008.

The survey also revealed some differences among the groups polled. Resolving these differences, or disconnects, will go a long way toward shoring up cybersecurity in and out of the government.

Feds leading the way Among the various groups surveyed, respondents from the federal government indicated the highest standard of information security leadership:

• 63% participate in cybersecurity preparedness drills (compared to 32% of state and local government organizations).
• 64% have automated threat reporting (compared to 38% of state and local government organizations).
• 75% receive and share threat data with peers (compared to 50% of state and local government organizations).
• Security self-assessments rating the overall level of IT security had federal government officials giving themselves a higher rating (77%) than state and local (52%) officials.

More collaboration Respondents agreed that better public/private collaboration in securing cyberspace is necessary. Less than half of federal respondents report threat incidents to the private sector or state or local government. Likewise, less than half of private sector respondents report incidents to federal or state or local government.

Preparation not a priority As the saying goes, organizations should “talk the talk and walk the walk” when it comes to IT security. That adage is not being adhered to within state and local governments, however, as only 32% participate in cybersecurity preparedness exercises, and 38% have automated cyber threat/vulnerability reporting. (The federal government sets a better example, reporting 63% and 64%, respectively.)

Next steps
According to the 2008 Critical Connections Study, 78% of private sector respondents want more information from the government on cyber threats. Everyone agrees that better coordination is a necessity on the path to improved security. The federal government is the clear information security leader among the groups, and it is in a position to share best practices and support information security and business continuity improvement across private industry and state and local government.

The National Cyber Security Initiative can serve as the catalyst for change. More than $30 billion has been allocated over the next 10 years to improve cybersecurity as part of the Initiative -- so it will be a hot topic in the coming years. Moreover, as the Critical Connections Study revealed, public and private sectors share many of the same IT security pains and coexist in a shared threat environment but rarely team up for security. Now is the time to work together to establish the critical connections necessary to improve security in the public and private sectors.

Stacey McDaniel has been writing about high-tech issues for more than six years.