Government Technology - April 2008 - (Page 28)

ABOUT THE SURVEY The Government Technology IT security survey was conducted in January and generated responses from 122 people. Of the respondents, 30 percent identiﬁed themselves as agency management, 28 percent as IT staff and 23 percent as ofﬁce employees. Elected ofﬁcials accounted for approximately 3 percent of respondents. Clearly security has your attention. But is attention translating into action? That’s a question we attempted to answer in January with the Government Technology IT security survey. The results present somewhat of a mixed bag. First the good news: Nearly 60 percent of your organizations have established a chief information security officer (CISO) or similar position — a figure that compares favorably with the private sector. Those CISOs also seem to be positioned for success, with appropriate access to both the CIO and agency upper management. Furthermore almost 80 percent of your organizations now have a formal security policy, and most of you said recent high- described their security preparedness as excellent, an assessment that could indicate dangerous overconfidence. “To be among the 18 percent that said ‘excellent’ is delusional, and it also reflects a complacency that you can’t afford in that space,” said Paul W. Taylor, chief strategy officer of the Center for Digital Government. “There’s much more realism in the ‘fair’ and ‘poor’ rankings and the bare majority that said ‘good.’ I think that’s a reasonable position to take — one that reflects that agencies are doing as well as possible under the circumstances. But they’re not making any claims that they’ve got the situation in hand. “I think security’s function is always to believe that they don’t have it in hand,” he continued. “There always are revolving threats, both internal and external.” Survey results also show that state and local governments are getting serious about putting someone in charge of their information security efforts. The number of state agement. Thirty-five percent of respondents said their CISO reports to the CIO or top IT executive, a reflection of the need for information security to be tightly ingrained in an organization’s overall technology structure. And nearly 50 percent said the CISO reports to an agency head or deputy director, indicating that many security officers can quickly escalate security problems to the very top of the organization. “You have 35 percent reporting to the CIO, which is a healthy development,” Taylor said. “But these results also suggest that the security officer can talk to their boss’s boss if they need to without being accused of insubordination.” Blind Spots On the other hand, the survey exposed a troubling lack of knowledge about the nature and frequency of cyber-security attacks against government organizations. More than 40 percent of respondents said they didn’t know if the volume of attacks against their organizations had changed over the past two years. And almost 50 percent didn’t know if the sophistication level of these attacks changed over the same period. Does your organization have a chief information security officer, chief security officer or similar position? Yes No Don’t know 58% 30% 12% “I THINK SECURITY’S FUNCTION IS ALWAYS TO BELIEVE THAT THEY DON’T HAVE IT IN HAND. THERE ALWAYS ARE REVOLVING THREATS, BOTH INTERNAL AND EXTERNAL.” Paul W. Taylor, chief strategy officer, Center for Digital Government profile security events raised awareness of cyber-security but didn’t discourage new technology deployments. And now the bad: Survey results indicate a fair amount of complacency among respondents, as well as a troubling lack of knowledge about both the volume and nature of cyber-attacks against their organizations. In addition, security awareness may be up, but security funding generally is not. Finally security training — perhaps one of the most effective weapons against information security breaches — remains an afterthought for many respondents. and local agencies creating a CISO or similar position compares well with the general industry trend. CIO magazine’s 2007 global information security survey — which polled 7,200 respondents in various industries worldwide — also found that 60 percent of organizations had created CISO or chief security officer positions. Furthermore government CISOs seem to be in the right place organizationally to make an impact. Taylor said the survey indicates a dual reporting relationship that gives CISOs access to both the CIO and agency manHow would you rate your organization’s cyber-security preparedness? Excellent Good Fair Poor 18% 53% 25% 4% Feeling Too Good? More than 75 percent of respondents rated their cyber-security preparedness as good or fair — a realistic estimate for organizations coping with rapidly changing security threats. But another 18 percent APR_08 Dan Lohrmann, Michigan’s CISO, called this lack of awareness a negative trend. “From my point of view, attacks are absolutely becoming more sophisticated,” he said. “And that’s the view of most security experts — just about anybody who is speaking on security anywhere in the world will tell you that.” But the trend isn’t confined to state and local government. CIO magazine found similar results in its global security survey, where 40 percent of respondents didn’t know how many attacks had hit their organizations, and 45 percent couldn’t identify the types of attacks hitting them. 28 http://www.govtech.com

Table of Contents Feed for the Digital Edition of Government Technology - April 2008

Government Technology - April 2008 Contents Point of View Big Picture The Last Mile On the Scene Four Questions for... Freeze Frame How Safe Is Your Data? Easy Street Gadget Overload Indiana Overhaul First Person: A Better Bill Data Defense Strength in Numbers Public Storage Products Two Cents Spectrum Personal Computing signal:noise

Government Technology - April 2008

For optimal viewing of this digital publication, please enable JavaScript and then refresh the page. If you would like to try to load the digital publication without using Flash Player detection, please click here.