Despite the government's poor track record on cybersecurity, most IT leaders in the US and elsewhere believe government can help the private sector create a solid security strategy and protect organizations against internal and external threats, concludes a new global study of IT leaders by Dell.
Dell interviewed 1,440 IT leaders in 10 countries from public and private sectors to gauge their awareness and preparedness for a new wave of threats in IT security. The study found nearly three-quarters of respondents had experienced a security breach within the last 12 months, confirming the growing seriousness of the security threats IT leaders face.
The scope of threats -- both known and unknown -- pose a multitude of new risks for organizations, the study found, especially as enterprises expand their reliance on cloud computing and allow employees to bring their own devices to work.
Organizations need to restructure their IT processes and collaborate more with other departments to prepare for the next security threat, the study concludes, although that sentiment varies, from 85% among US respondents to 43% in the UK and 45% in Canada. The study also surveyed IT leaders in France, Germany, Italy, Spain, India, Australia, and China.
[Government is ramping up efforts to improve cloud security. Read How FedRAMP Can Accelerate Cloud Adoption.]
But the majority -- 76% globally and 93% in the US -- agreed that to combat today's cyber criminals, organizations must protect themselves both inside and out. Threats come from all perimeters. They are often caused by poorly configured settings or permissions or by ineffective data governance, access management, or usage policies, according to the study.
Companies that have experienced a security breach dedicate an average of 18% of their IT budget to security, according to the survey. Half of IT leaders surveyed believe security training for new and current employees is a priority and two-thirds say they have increased funding for security training and education. Nearly three-fourths (72%) of US respondents, and 54% worldwide, say they increased spending for monitoring services over the past year.
Nearly 90% of respondents believe that government involvement is necessary to help the private sector determine cyberdefense strategies. In fact, 78% of IT leaders in the US believe that the federal government plays a positive role in protecting organizations against internal and external threats. More than half (53%) said the government's role in security is helping operational effectiveness, with only 17% claiming that the government is hindering effectiveness.
Despite positive attitudes toward the government's involvement, federal agencies continue to face security challenges, many of which were highlighted in a February 4 report published by Senator Tom Coburn (R-Okla.). According to the report, "The Federal Government's Track Record on Cybersecurity and Critical Infrastructure," there were more than 48,000 cyber "incidents" involving government systems, which agencies detected and reported to the Department of Homeland Security (DHS) in fiscal year 2012.
The US government has spent at least $65 billion to secure its computers and networks since 2006, yet "weaknesses in the federal government's own cybersecurity have put at risk the electrical grid, our financial markets, our emergency response systems, and our citizens' personal information," Coburn said on his website.
Those that participated in the Dell study reported that on average it took seven hours to detect a breach. "On government networks, seven hours is much too long, potentially providing cyber criminals with access to critical national security information," Paul Christman, vice president of public sector for Dell Software, said in an interview with InformationWeek Government.
A week after Coburn's report, the National Institute of Standards and Technology (NIST) released its "Framework for Improving Critical Infrastructure Cybersecurity," a catalog of best practices and standards for companies to use in developing security programs. The framework follows an executive order to protect privately owned critical infrastructure. DHS is launching a program to support private sector adoption of the framework by offering access to the department's cybersecurity experts.
Christman said that's exactly what companies are looking for. "There is a clear need for strong leadership and guidance from public sector organizations in helping the private sector," he said.
Find out how a government program is putting cloud computing on the fast track to better security. Also in the Cloud Security issue of InformationWeek Government: Defense CIO Teri Takai on why FedRAMP helps everyone.