IT Security Jitters: Staff Vs. Execs
Survey: Fed IT Staffers More Anxious About Attacks than Executives"In general, senior-level executives in the federal government are more confident than their staff in their organizations' ability to achieve their security objectives," according to Security in the Trenches: Comparative Study of IT Practitioners and Executives in the U.S. Federal Government. "The widest gaps between these two groups occur within organizations with the most pessimistic beliefs and perceptions about security. These agencies are the Department of Homeland Security, Health and Human Services and Department of Defense and these may be the most vulnerable to attacks."
Larry Ponemon, chairman of the Ponemon Institute, an IT security and privacy research organization that conducted the survey of 321 federal government IT professionals for the software company CA, said the discrepancies could have an adverse impact on an agency's ability to properly secure its IT environment and manage risk
Where was the gap?
The biggest differential, 20 percentage points, was found on how each group perceived whether security program were adequately managed (staff 43% vs. 63% management).
In one area after another, rank-and-file employees had a more pessimistic view than executives. Nineteen percentage point gaps between staffers and management were found in hiring and retaining highly qualified IT security personnel and securing sensitive or confidential information at rest; 18 percentage point differentials were found in complying with all legal requirements, conducting independent audits, preventing or curtailing viruses and malware infections and identifying and authenticating users before granting access to information assets or IT infrastructure.
Why the gap?
"Executives tend to see the big picture, whereas the IT staff-level sees a more focused view," Gilda Carle, a relationship expert who has worked with the Army, Internal Revenue Service, and IBM, said in a statement issued by the Ponemon Institute. "The difference in viewpoints can greatly affect how well an organization achieves its objectives. CBS has even created a No. 1 hit based on this principle called Undercover Boss, where bosses become part of the rank and file, and everyone learns what life is like from the other side."
Among the survey's other key findings:
- Employees and managers from departments such as Homeland Security, Health and Human Services, Justice and Treasury were more concerned about their agencies withstanding an attack or complying with standards such as the Federal Information Security Management Act than those from agencies such as the Postal Service, Veteran Affairs and State.
- Non-managers are much more likely to see the need for privileged user management solutions than IT executives. The survey authors suggest IT executives in government may not place sufficient priority on controlling those users who have widespread access rights to the most sensitive or confidential information resources and critical infrastructure.
- Rank-and-file employees are much more likely to see the need for security training and awareness activities than the senior managers, suggesting executives may be less aware of employee negligence, mistakes or non-compliance with procedures than those doing the work.
- IT senior managers perceive a limited number of security threats and see certain risks at a lower level of intensity than rank-and-file employees. "Executives appear to be focused on lost or stolen information assets, computers and endpoint security issues rather than systemic system attacks," the report's authors wrote. "On the other hand, rank-and-file employees acknowledge a wider set of issues, including database security and off-line devices."
- IT executives are consistently more positive than their IT and information security staffs about the effectiveness of specific security procedures and tasks that are deployed. The widest gaps concern identity and authentication of users before granting access to information assets or IT infrastructure.
- Staffers are much more likely than managers to see the necessity of certain enabling technologies to reduce or mitigate security risks within their organizations. The technologies with the widest difference include identity and access management systems, firewalls, database security tools, and anti-virus/anti-malware tools.
- Rank-and-file employees are much more likely than executives to see organizational issues as barriers and challenges that affect the management of privacy, data protection and information security requirements and objectives.
Ponemon Institute polled an independent sample of 320 IT and IT security practitioners located in various federal departments and agencies.