Staffers fret over cyber attacks more than execs

Wednesday, April 28, 2010 @ 05:04 PM gHale


It is the age old work scenario: Those working in the trenches see the real life situation, while executives are thinking big picture. When it comes to security the same thing holds true as federal government IT security specialists worry more about the ability to withstand a cyber attack than IT executives.
“In general, senior-level executives in the federal government are more confident than their staff in their organizations’ ability to achieve their security objectives,” according to the report entitled “Security in the Trenches: Comparative Study of IT Practitioners and Executives in the U.S. Federal Government.” “The widest gaps between these two groups occur within organizations with the most pessimistic beliefs and perceptions about security. These agencies are the Department of Homeland Security, Health and Human Services and Department of Defense and these may be the most vulnerable to attacks.”


The discrepancies could have an adverse impact on an agency’s ability to properly secure its IT environment and manage risk, said Larry Ponemon, chairman of the Ponemon Institute, an IT security and privacy research organization that conducted the survey of 321 federal government IT professionals for the software company CA.
The biggest gap in understanding, 20 percentage points, was in how each group perceived whether security programs were adequately managed (staff 43% vs. 63% management), according to the study.
In most cases, rank-and-file employees had a more pessimistic view than executives. In another case, 19 percentage point gaps appeared between staffers and management in the issue of hiring and retaining highly qualified IT security personnel and securing sensitive or confidential information at rest; 18 percent difference in complying with all legal requirements, conducting independent audits, preventing or curtailing viruses and malware infections and identifying and authenticating users before granting access to information assets or IT infrastructure.
“Executives tend to see the big picture, whereas the IT staff-level sees a more focused view,” said Gilda Carle, a relationship expert who has worked with the Army, Internal Revenue Service, and IBM. “The difference in viewpoints can greatly affect how well an organization achieves its objectives.”
Among the survey’s other key findings:
• Employees and managers from departments such as Homeland Security, Health and Human Services, Justice and Treasury remained more concerned about their agencies withstanding an attack or complying with standards such as the Federal Information Security Management Act than those from agencies such as the Postal Service, Veteran Affairs and State.
• Non-managers are much more likely to see the need for privileged user management solutions than IT executives. IT executives in government may not place sufficient priority on controlling users that have widespread access rights to the most sensitive or confidential information resources and critical infrastructure.
• Rank-and-file employees are much more likely to see the need for security training and awareness activities than senior managers, suggesting executives may be less aware of employee negligence, mistakes or non-compliance with procedures than those doing the work.
• IT senior managers perceive a limited number of security threats and see certain risks at a lower level of intensity than rank-and-file employees. “Executives appear to be focused on lost or stolen information assets, computers and endpoint security issues rather than systemic system attacks,” according to the report. “On the other hand, rank-and-file employees acknowledge a wider set of issues, including database security and off-line devices.”
• IT executives are consistently more positive than their IT and information security staffs about the effectiveness of specific security procedures and tasks. The widest gaps concern identity and authentication of users before granting access to information assets or IT infrastructure.
• Staffers are much more likely than managers to see the necessity of certain enabling technologies to reduce or mitigate security risks within their organizations. The technologies with the widest difference include identity and access management systems, firewalls, database security tools, and anti-virus/anti-malware tools.
• Rank-and-file employees are much more likely than executives to see organizational issues as barriers and challenges that affect the management of privacy, data protection and information security requirements and objectives.



Leave a Reply

You must be logged in to post a comment.