Security standards should be strengthened outside the federal government too

Tripwire announced the results of a research report that evaluated actions taken by the federal government to improve cybersecurity in 2021. Conducted by Dimensional Research, the survey evaluated the opinions of 306 security professionals, including 103 currently working for a United States federal government agency, with direct responsibility for the security within their organization.

Improving security outside the federal government should also be essential

According to the research, security professionals responsible for critical infrastructure believe that NIST standards should not only be improved and strengthened but enforced outside the federal government. This is likely because only 49% of non-governmental organizations surveyed (critical infrastructure and others) have fully adopted NIST standards, yet still identify ransomware as a primary security concern.

Federal security professionals are aligned with this thinking and also believe the government should be doing more to protect its own data and systems (99%). In fact, 24% think they are falling behind when it comes to preparedness to face new threats and breaches, citing lack of both leadership prioritization and internal expertise and resources as primary reasons.

“It’s clear that organizations – both public and private sector – are seeking further guidance from the federal government,” said Tim Erlin, VP of strategy at Tripwire. “Generally, long term enforcement and implementation of cybersecurity policy will take time, but it’s important that agencies lay out a plan and measure execution against that plan to protect our critical infrastructure and beyond.”

When it comes to implementing zero trust architecture, both federal and non-governmental organizations agree this strategy could materially improve cybersecurity outcomes, but only 22% say improvement is highly likely. They also agreed that integrity monitoring is foundational to a successful zero trust strategy (50%), or at least somewhat important (43%), but only 22% considered measuring integrity and security posture to be a core tenet of zero trust architecture. Secure communication (44%), limiting individual access (39%), and identifying data sources and computing services as resources (36%) were most commonly identified.

Where do organizations track on the path to zero trust?

• 25% of those surveyed from the federal government described their zero trust implementation as mature, while only 2% of critical infrastructure organizations identified this way.
• The majority of security pros – both public and private sector – described their progress toward zero trust adoption as needing some work, or in progress.
• Security professionals look to federal government guidelines as the top source for obtaining zero trust strategies and best practices, followed by information from security solutions vendors, consultants, and analysts.

“It’s promising to see progress toward zero trust implementation, but lack of focus on integrity is where we fall short,” said Erlin. “Maintaining and understanding the integrity of an organization’s people, processes and technology is the foundation of strong zero trust architecture and should be prioritized as such. Simply put, you can’t have zero trust without integrity.”

While hardening systems against ransomware may be a driving force for implementation now, 83% of security pros expect that something worse than ransomware may be coming. Fortunately, both federal and non-governmental organizations have responded to this year’s attacks on critical infrastructure with preventative action – 98% of agencies report progress on executive orders on cybersecurity (nearly half say significant progress), and over 50% of non-government groups have taken specific steps to improve cybersecurity efforts.