nCircle 2012 Federal Security Trends Survey
"Despite all of the press hacktivism has received over the last 18 months, the response to this question suggests that hacktivism is not perceived as a significant threat category for the public sector, especially when compared to cyber crime and nation-state attacks," said Keren Cummins, director of federal markets for nCircle. "While nation-state and cyber crime attacks are perceived to present almost equal threat levels, this doesn't necessarily indicate growth in these areas; it may simply reflect our growing ability to detect foreign presence on our networks."
"When you ask a question about 'security' concerns and a large percentage of people direct their response toward 'compliance', it's an indication that we have our priorities in the wrong place," said Keren Cummins. "Let's hope compliance isn't considered a threat to federal IT security personnel. As an industry, we are trying to get people to think about threat-directed security. The government needs to make certain that compliance initiatives are contributing to security, not getting in the way."
"An overwhelming majority of security professionals continue to expect the number of data breaches to increase. It's not clear if this expectation is because hackers are getting better or because security is getting worse," said Elizabeth Ireland, vice president of marketing for nCircle.
"Maybe it's the association people make with their experiences going through airport security, but the responses of federal IT professionals indicate there is very limited confidence in the ability of the government in general, and DHS specifically, to regulate matters of national cyber security," said Keren Cummins, director of federal markets for nCircle. "Given this lack of confidence, we should be asking ourselves who is going to step up to this critical task, and how will regulation strategies change if there is a new presidential administration this year."
"Inside the government there is limited confidence that current proposed cyber legislation will improve the private sector's security posture," said Keren Cummins, director of federal markets for nCircle. "It's not clear if this is because of a general lack of confidence in security regulation as a tool to improve security posture, or if this is due to specific limitations in the proposed legislation."
"An overwhelming majority of federal respondents say CyberScope is not easing the burden of FISMA compliance. Based on these survey results, the CyberScope directive toward continuous monitoring to reduce organizational risk among agencies might actually be setting the government back," said Keren Cummins, director of federal markets for nCircle. "An imposed requirement to submit monthly security scan data to OMB -- and get publicly graded on whether that submission is taking place -- has produced the 'FISMA effect': shifting agency focus to compliance instead of better security."
"The potential benefits of CyberScope are certainly unrealized since at least one-third of agencies responding to this survey haven't participated in a CyberStat review session yet," said Keren Cummins. "Clearly, if CyberScope is going to make significant progress in achieving its goal to reduce network risk, then agencies need to walk away from the reporting process with a clear path toward improvement."
"It should come as no surprise that limited budgets are the greatest challenge for the implementation of continuous monitoring programs. While a recent GAO report indicates that there are high costs associated with agency implementations of continuous monitoring, when compared to the full value of a risk scoring program, the estimated cost seems relatively low," said Keren Cummins, director of federal markets for nCircle. "For organizations committed to using the program for risk identification, prioritization and remediation, continuous monitoring represents a considerably larger percentage of their overall FISMA costs - but I believe it will also help drive their overall FISMA costs down."
"This survey data supports the adage, 'when you measure the measurement and not the result, sometimes you just get the act of measurement and no results,'" said Keren Cummins, director of federal markets for nCircle. "The stated purpose of continuous monitoring is to manage and reduce risk, but only one-third of respondents have found continuous monitoring - as currently implemented and measured in their agencies - to have had a favorable impact on risk."