The Ponemon-Sullivan Privacy Report includes original columns and a roundup of worldwide privacy news. It’s the best way to keep up with Ponemon Institute Research and Bob Sullivan’s opinions. Keep informed, sign up here.
We just completed a survey of federal IT security professionals to examine the data protection posture of government agencies. Through the survey, sponsored by CA, we wanted to see whether or not there is consistency in the perception of rank-and-file employees and executive management as it pertains to the safeguarding of sensitive information, regulatory compliance, and the day-to-day management and execution of a security program.
What we found was interesting, and in keeping with what we’ve seen in the private sector: executives tend to view the information security programs they manage more positively than do the employees who actually carry out the plans.
That might not seem like a surprising result, but any time we can quantify what may appear to be an intuitive conclusion, it’s a helpful outcome. Progress in addressing operational challenges should be based on fact, and while trusting one’s gut may sometimes be helpful, our data suggest that the gut may not always be reliable. As the old saying goes, “trust, but verify.”
·While 62 percent of rank-and-file staff believed password management to be important, only 31 percent of executives agreed. That’s a 31 percent gap.
·The importance of training and awareness for end-users and for privacy and security professionals showed gaps of 21 percent and 20 percent respectively. Sixty-two percent and 63 percent of IT staff see training of end users and security experts as very important, while only 41 percent and 43 percent of executives agree.
·Confidence in organizational compliance with regulations such as FISMA is low among federal agencies, but rank and file employees believe a lack of leadership is to blame, while executives see the problem as poor enforcement.
The takeaway for federal agencies – but a lesson for all organizations struggling with information security challenges – is in recognizing that these discrepancies could impact an agency’s ability to properly secure their IT environment and manage risk.
Rather than trusting your gut, why not sit down with the folks in the trenches and listen to what they have to say about their experiences executing against the mandates they’ve been given? Understanding the challenges they face each day may help to better identify some of the ways you can make significant improvements in your organization’s risk management and security readiness strategy.
Let us know what you think about this report, and let us know what you've learned by talking to the pros in your trenches.
We recently completed some new research with Accenture in which we were surprised to find that, in spite of all the attention being paid to data protection, and in spite of new and updated data protection regulations, complacency is beginning to settle in among many companies.