Federal focus on cybersecurity “abysmal” according to new analysis

In light of 2014’s run of massive data breaches and the GAO’s estimation that “the number of cyber threats to federal agencies increased 782 percent between 2006 and 2012”, the Brookings Institution – a “nonprofit public policy organization” – recently analyzed “the strategic plans of U.S. federal agencies” to “examine the level of emphasis that federal agencies place on cybersecurity”. Its conclusions do not make for encouraging reading.

Action falls far short of guidance

Under the GPRA Modernization Act of 2010, each federal agency must prepare a four-year strategic plan that includes “a comprehensive mission statement”, “general goals and objectives”, and “an identification of those key factors external to the agency and beyond its control that could significantly affect the achievement of the general goals and objectives”. The Brookings Institution examined these strategic plans:

“In studying the IT initiatives described in these plans, we find that the focus on cybersecurity is abysmal. Half of the federal agency strategic plans make no mention of cybersecurity, and less than one quarter of IT objectives make any mention of efforts to secure IT systems. Additionally, federal agencies rarely discuss cybersecurity efforts in detail. Most agencies only have brief mentions of ongoing efforts…

“The vast majority of public agencies lack a clear cybersecurity plan. In addition, equally striking is the reactive nature of most plans when it comes to cybersecurity. In order to address the cybersecurity threat agencies need to be proactive and sense the evolving technology space. Agencies need to develop capabilities to take proactive stances when it comes to understanding future threats. This will require them to develop innovative cybersecurity strategies.”

“Do as I say, not as I do”

Such a poor estimation of federal cybersecurity will likely sting the Obama administration, which has been focusing on the issue for much of the year, proposing new laws and promoting private sector cybersecurity information sharing. If the government wants to bolster national cybersecurity, it is vital that it practices the same things that it advocates for others.

Public confidence in federal cybersecurity guidance will never increase as long as politicians demonstrate scant knowledge of or regard for the issues they supposedly advise on – as demonstrated by the widespread incredulity that erupted online following South Carolina Republican Lindsey Graham’s admission to NBC’s Meet the Press yesterday that he’d never sent an email. (Sen. Graham currently sits on the Subcommittee on Privacy, Technology and the Law.)

The government and military accounted for 10% of 2014’s publicly reported data breaches, according to figures from the Privacy Rights Clearinghouse. For those statistics to look more favorable in 2015, federal agencies need to take action. All organizations – public or private – can improve their cybersecurity postures with international best practice.

ISO 27001

The ISO 27001 standard sets out the requirements of an information security management system (ISMS) that can be implemented in any organization. An ISMS allows organizations of all types to employ a risk-based approach to information security that encompasses people, processes, and technology. As part of an overall management system, an ISMS functions to protect and monitor information, and improve how security is handled within an organization.

Certification to ISO 27001 is a globally acknowledged mark of compliance, and provides huge business benefits. According to the latest ISO survey, 36% more organizations were certified to ISO 27001 in 2013 than in 2012.

ISO 27001 Packaged Solutions

Having led hundreds of ISO 27001 certifications around the world, IT Governance has now developed a series of fixed-price ISO 27001 Packaged Solutions that allow organizations of all sizes, sectors, and locations to use its expertise to implement the Standard at a speed and for a budget appropriate to their individual needs.

There are five core packages: The BasicsDo It YourselfGet A Little HelpGet A Lot Of Help, and We’ll Do It For You, each of which provides a different level of support and resources.

For a simple overview of the packages, and to see which one suits your organization’s needs, please click here for more information >>

ISO 27001 Packaged Solutions