Good morning and thank you for being here today. My name is Keren Cummins and I am the Director of Federal Markets for nCircle. For those of you who do not know us, nCircle provides information risk and security performance management solutions to both public and private sector enterprise organizations and currently supports over 20 US federal agencies. I am here today to share with you the preliminary results of our annual Security and Compliance Trends Survey and to encourage you to complete the survey you received at the registration table this morning. It should take you just a few minutes and for those interested in being considered for a free iPad 2 drawing, you can submit the completed survey at the nCircle table.
So what is the nCircle Security and Compliance Trends Survey? Each year, the nCircle Security Trends Survey provides insight intothe challenges and concerns of information security professionals through a comprehensive study. This year for the first time, the survey dives into the unique cyber security hurdles and issues faced by the U.S. federal government. The survey is being conducted from April 28 through June 4, and we will be announcing the full results mid-June. In the meantime, in talking with the DGI team, I thought it would be interesting to share just a few of the preliminary results since the data we have received thus far is very timely and relevant to the topics being addressed here at the conference throughout the day. Then, I am going to step aside and turn the floor over to my respected colleague and nCircle CTO, Tim Keanini – TK.So who has responded to the survey thus far? Over 70 participants from the US federal government have completed the survey with the greatest percentage (80%) from civilian agencies.The respondents to date are almost an equal mix of contractors vs. government employees (+/-6%),
With representation spanning the very small to very large agencies. All identify themselves in large part as “security” professionals with almost 20% holding a Senior Management position.
When asked their biggest concern for 2012, meeting compliance requirements leads out with almost 32% identifying it as their top concern. Next in the lead is mobile devices and cloud.
While cloud migration appears to be moving at a slow pace, with the vast majority of agency respondents indicating that one-third or less of their infrastructure has been migrated to the cloud,over 30% of those who are using cloud are already migrating moderate impact data, speaking to a growing level of confidence in both the technology and policies that can enable higher risk use of the cloud.
This is an interesting snapshot of FedRAMP’s progress….Only a very small percentage of respondents acknowledge a role for FedRAMP’s baseline security controls in advancing their migration to the cloud. Perhaps security is not an issue for the remainder, but it seems more likely that FedRAMP still has some work to do to communicate the benefits of their security guidance. Thus far it does not appear to be resonating and/or building confidence among agency heads, enough to significantly advance their move to the cloud.
Mobile security is a topic of increasing concern, and on a more encouraging note, it appears that a significant majority of agencies do indeed have a mobile device security policy in place, and that they enforce it.Concerns about various types of mobile devices span the gamut, although Android and iPhone represent the greatest concerns.
However, when asked about their plans for monitoring such devices, almost twice as many folks do not have a strategy for monitoring the variety of mobile devices being introduced into the government space, as those who do.
REMOVE?Yeah, not sure what to say about this one
Moving into the area of Oversight and Legislation, we are seeing limited confidence coming from inside government that the current proposed cyber legislation offers much improvement for the private sector’s security posture.
With respect to agency compliance,when asked specifically if CyberScope is helping to ease the burden of FISMA on government agencies, an overwhelming majority said “no”.
Perhaps the benefit of CyberScope is simply yet-to-be-realized given the fact that at least a third of agencies report not having yet participated in a CyberStat Review session. Clearly, however, if CyberScope is going to make significant progress in achieving its goal to reduce network risk, agencies are going to need to walk away from the reporting process with a clear path for improvement.
Moving more deeply into the continuous monitoring aspect of security, there are no surprises here – limited budgets are the greatest challenge for the implementation of continuous monitoring programs. A recent CBO report estimated that agency implementations of continuous monitoring would cost 2% of the overall cost of FISMA – or $710M over 5 years. The question I’d like to have asked survey respondents is, “Is that high or is that low?”For those agencies that are aggressively implementing continuous monitoring and risk scoring (CMRS) as a foundation for ongoing risk reduction, 2% seems rather low,given that the full value of a risk scoring program requires changes in business process and workflow,changes that support effective, prioritized response to identified risks. This certainly doestake both time and money. In my opinion, ultimately, For those organizations that are committed to using the program for risk identification, prioritization and remediation, Continuous monitoring will represent a considerably larger percentage of their overall FISMA costs – but I also believe it will help drive their overall FISMA costs down. But, I didn’t get to ask that question…
I actually talk about the value of continuous monitoring and the associated metrics at great length in the nCircle Federal Outlook blog. While I can’t run a survey there I would encourage you to take a look at my recent posts on effective measuring. Would love to get comments. My premise is, ‘When you measure the measurement, and not the result -- sometimes you just get the act of measurement – and no results.’ I think this chart supports that theory. Despite the fact that the stated purpose of continuous monitoring is to manage and reduce risk, only a quarter of respondents have found continuous monitoring, as currently implemented and measured in their agencies, to have had a favorable impact on risk.
Finally, over the last year the threat environment has changed dramatically. While the term “hacktivism” has been around since 1996, most of the public probably heard it for the first time in the last 12-18 months. Today the threat environment includes three distinct categories of attackers, and our community perceives that all three types of attackers are targeting federal agencies and their data. Based on our preliminary survey results, advanced persistent threats (APT) poses a greater risk in public vs. private sectors. So why is that?I’m going to ask my colleague Tim Keanini, universally known as TK, to answer that question. In his presentation, TK will discuss the differences in motivation and intent for each of the three different types of attackers and discuss how federal security teams can use OODA loop principles to create and refine practical cyber security defenses for all three threat categories.Without further ado, TK….
2012 nCircle Federal Security and Compliance Trends Survey