How prepared are federal agencies to deal with security threats?

There are distinct gaps among United States federal agency IT executives and IT professional staff when it comes to their opinion on how prepared their agencies are to deal with security threats, the strength of their security profiles, and their ability to achieve security objectives. These discrepancies could affect how security resources are allocated and how threats and risks are managed and controlled, according to a study by the Ponemon Institute.

The study is a comparative look at how IT executives and the IT staff in federal agencies view their various security issues, capabilities, and preparedness. Ponemon Institute polled an independent sample of 320 IT practitioners located in various federal departments and agencies. It compared the results to an earlier study of IT executives to understand if the beliefs and perceptions between these two groups were aligned when it came to security.

“As we were reviewing the results and seeing these gaps emerge, we recognized that these discrepancies could impact an agency’s ability to properly secure their IT environment and manage risk,” said Dr. Larry Ponemon, chairman and founder, the Ponemon Institute. “The gaps ranged widely from the need for training, to whether there was a single person responsible for an agency’s security initiatives.”

The results in some critical security areas such as privileged user password management, training and overall views of meeting security objectives showed wide diversity:

• A 31 percent gap in the importance of privileged user password management (PUPM). Sixty-two percent of IT staff-level respondents deemed PUPM very important, while just 31 percent of executives felt it was very important.
• A 21 percent difference in the importance of training end users and a 20 percent gap in training of privacy and security experts. The results showed 62 percent and 63 percent of IT staff sees training of end users and security experts as very important, with just 41 percent and 43 percent of executives citing the importance.
• IT staff are significantly less confident than IT executives that their agency is compliant with all applicable regulatory requirements, such as FISMA. Of those IT staff that felt their agency was not compliant, 30 percent cited a lack of accountability and senior leadership, or support from senior management as the cause. Forty-six percent of IT executives who felt they didn’t meet requirements cited lack of enforcement as the primary reason.