Despite significant investments in new cybersecurity policies, guidance and tools, the federal government’s state of security readiness suggests little return on its investment.
(ISC)² has released the US federal government findings of its seventh Global Information Security Workforce Study (GISWS), finding that nearly half of respondents say that security has not improved over the last two years, while 17% of respondents say their organization’s security posture is actually worse off—primarily due to an inability to keep pace with threats, a poor understanding of risk management, inadequate funding and not enough qualified professionals.
“The results of this year’s workforce study are somewhat predictable, yet startling at the same time,” said Dan Waddell, director of government affairs for the National Capital Region at (ISC)2. “While the task at hand is indeed overwhelming given the complexity of threats and the government’s limited resources, when we consider the amount of effort dedicated over the past two years to furthering the security readiness of federal systems and the nation’s overall security posture, our hope was to see an obvious step forward. The data shows that, in fact, we have taken a step back.”
The bad news doesn’t stop there. The study also found that despite significant efforts over the last two years, 58% of respondents are still not confident that legislators will provide new or adequate levels of funding to meet cybersecurity needs. And, despite the softening of hiring budgets and a decrease in barriers to entry, an increasing number of respondents say they do not have enough information security personnel to meet the demands of their mission, and that the workforce gap is hurting the organization and its customers.
“On a positive note, we are starting to see an uptick in federal personnel salaries, with a 4% jump over salaries reported in 2013,” said Waddell.
Threat response times have also not changed in two years. More than half of survey respondents believe that their organization did not improve its security readiness, with response times lengthening. Application vulnerabilities and malware remain the top security threats and are increasing as a concern. And although procurement and acquisition are cited as moments of great vulnerability, there remains very little focus on applying security during the supply chain process.
Some specific initiatives are failing to yield fruit as well. For instance, there has been little return on the larger investment in NIST’s Cybersecurity Framework. Just 15% of organizations outside of the federal government have implemented this Framework to date; and 45% say they don’t know if they’ll utilize it.
Cloud too is still slow to take off, despite the federal government’s CloudFirst initiatives. The Federal Risk and Authorization Management Program (FedRAMP), in particular, is having less of an impact than was anticipated in advancing cloud migration, with 64% of respondents not knowing if it is having any impact.
“Overall, the federal government must invest more to improve cybersecurity, but it needs to find better ways to ensure that those investments will provide adequate returns,” Waddell said. “Given the significant demand for skilled professionals, training and education are areas of investment that can lead to significantly higher returns and help to both attract and retain cybersecurity professionals.”