Why Organizations Fail to Implement Proper Security Safeguards and What They Can Do About It
The complexity of information technology and the constantly evolving threat landscape makes implementing appropriate controls and processes to secure information assets a major challenge for most enterprises in and out of government. The number of vulnerabilities organizations face is mindboggling: the National Institute of Standards and Technology vulnerability database tops 82,000, and that doesn't count unknown vulnerabilities.
For a dozen years, Gregory Wilshusen and his team of auditors and technical specialists at GAO, the investigative arm of Congress, have issued some 200 reports containing nearly 3,500 recommendations on U.S. federal government IT security, and have identified common problems organizations face and the reasons they often fail in securing information technology. Wilshusen identifies the common areas agencies struggle with to secure their IT and prevent breaches, including access controls, identity and authentication management, continuous monitoring, patch implementation and software testing; explain typical reasons organizations fail to take proper actions to secure their organizations' IT; and recommend solutions organization should take to mitigate this problem.
Though Wilshusen's focus is on government agencies, his findings and recommendations also apply to enterprises outside the federal government, including the private sector.