If government ITprofessionals aren't getting much sleep these days, it's likely because they're more worried than ever about catastrophic cyber-security breaches.
In InformationWeek's 2014 Federal Government IT Priorities Survey, 70% of respondents said that cyber- and information security programs are "extremely important" at their agencies, making IT security the highest government IT priority. Another 24% said IT security is at least fairly important. Only 3% said security is "not important at all."
The survey also demonstrated that security is intensifying as the top government IT priority. In last year's survey, 67% of respondents stated that information security is extremely important.
But while our survey indicates that government agencies have a sharp eye on information security, they're falling behind in critical areas such as cloud, data center consolidation, and overall IT innovation.
Protecting Information Gets Complex Beyond high-profile incidents like the Edward Snowden leaks of NSA documents, government IT pros are understandably troubled by the tens of thousands of cyber-attacks by foreign hackers on government systems and the new risks created by the proliferation of mobile devices. Another source of concern: unnoticed security breaches. A report issued earlier this year by Sen. Tom Coburn, R-Okla., found that nearly four in 10 intrusions into major civilian agency systems go undetected, posing a nightmare for IT managers.
"Information is the new weapon of choice," says one respondent to our survey, Joseph Reddix, CEO of the Reddix Group in Hanover, Md., which supplies IT project management and capital planning services to federal agencies. "When information is weaponized, you're in trouble. Information technology is about information, and it really should be about secure information."
But protecting information is becoming increasingly complicated. "If a foreign national stole plans for the F-35 [fighter plane], which is made in 40-plus different states," Reddix explained, "you only need one part to go bad to cause some big problems. And considering the planes cost $300 [million] to $400 million each, that's an awful lot of money. It can be extremely costly when there's a security breach."
Managers have to take a defense-in-depth approach, embracing the notion that systems are more secure when their various components are protected individually. Reddix says defense in depth should start with two-factor authentication, whereby each user employs security tokens combined with a password or a question/answer to gain access to information. Such a layered security approach makes it impossible to breach an entire system by cracking one password.
At the same time, securing information as it becomes more mobile and "intrinsic to everybody's life" is a growing challenge, Reddix says. As devices proliferate across the government and among consumers, so do the number and complexity of threats. In a mobile security study published last September, the Government Accountability Office reported that the number of variants of malware aimed at mobile devices had risen from about 14,000 to 40,000, or about 185%, in the last year.
Security Comes First Responses to another question in InformationWeek's 2014 Federal Government IT Priorities Survey reflect federal IT's rising concerns about security. Asked to what degree their agencies are pursuing the government's major IT initiatives, respondents put trusted Internet connections (27%), identity management (20%), and continuous monitoring (13%) in the "very aggressively" category. Continuous monitoring and identity management moved up the list compared with last year's survey, when they were ranked fourth and fifth, respectively.
But the fact that information security ranked ahead of other government IT programs isn't surprising.
InformationWeek Must Reads Oct. 21, 2014InformationWeek's new Must Reads is a compendium of our best recent coverage of digital strategy. Learn why you should learn to embrace DevOps, how to avoid roadblocks for digital projects, what the five steps to API management are, and more.