BlogPrivacy Professionals Should Share the Wealth Legislating Social Privacy When Privileged Access is no longer a Privilege |
RSS Feed
RSS Feed
Security in the TrenchesApril 14, 2010We just completed a survey of federal IT security professionals to examine the data protection posture of government agencies. Through the survey, sponsored by CA, we wanted to see whether or not there is consistency in the perception of rank-and-file employees and executive management as it pertains to the safeguarding of sensitive information, regulatory compliance, and the day-to-day management and execution of a security program. What we found was interesting, and in keeping with what we’ve seen in the private sector: executives tend to view the information security programs they manage more positively than do the employees who actually carry out the plans.
That might not seem like a surprising result, but any time we can quantify what may appear to be an intuitive conclusion, it’s a helpful outcome. Progress in addressing operational challenges should be based on fact, and while trusting one’s gut may sometimes be helpful, our data suggest that the gut may not always be reliable. As the old saying goes, “trust, but verify.”
What we did find surprising as a result of our report, Security in the Trenches: Comparative Study of IT practitioners and Executives in the U.S. Federal Government, (available at CA’s web site) was how big some of the gaps were. Some examples:
· While 62 percent of rank-and-file staff believed password management to be important, only 31 percent of executives agreed. That’s a 31 percent gap.
· The importance of training and awareness for end-users and for privacy and security professionals showed gaps of 21 percent and 20 percent respectively. Sixty-two percent and 63 percent of IT staff see training of end users and security experts as very important, while only 41 percent and 43 percent of executives agree.
· Confidence in organizational compliance with regulations such as FISMA is low among federal agencies, but rank and file employees believe a lack of leadership is to blame, while executives see the problem as poor enforcement.
The takeaway for federal agencies – but a lesson for all organizations struggling with information security challenges – is in recognizing that these discrepancies could impact an agency’s ability to properly secure their IT environment and manage risk.
Rather than trusting your gut, why not sit down with the folks in the trenches and listen to what they have to say about their experiences executing against the mandates they’ve been given? Understanding the challenges they face each day may help to better identify some of the ways you can make significant improvements in your organization’s risk management and security readiness strategy.
Let us know what you think about this report, and let us know what you've learned by talking to the pros in your trenches.
Posted by Dr. Larry Ponemon at 10:23 amAdd Comment (1 comments) Comments |
Government end-users need to be educated on IT security. What will happen if an end-user starts using an outside mail system over the internet to correspond sensitive material? or lose a laptop for months and not report it? or thinking they're on a VPN but end up pulling an unsecured connection while they're at home? End-users need to be educated because any wrong decision has the possibility of being a point of failure for the entire network.