SolarWinds Federal Cybersecurity Survey 2017: Government Regulations, IT Modernization, and Careless Insiders Undermine Federal Agencies’ Security Posture

© 2017 Market Connections, Inc.
SolarWinds®
Federal Cybersecurity Survey
Summary Report
2017
© 2017 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.

SOLARWINDS FEDERAL CYBERSECURITY SURVEY SUMMARY REPORT | MARKET CONNECTIONS, INC. | 703.378.2025
Background and Objectives
2
SolarWinds contracted Market Connections to design and conduct an online survey among 200 federal
government IT decision makers and influencers in July 2017. SolarWinds was not revealed as the sponsor of
the survey.
The main objectives of the survey were to:
• Determine challenges faced by IT professionals to prevent IT security threats
• Quantify sources and types of IT security threats
• Determine elements that aid successful management of risk
• Gauge sentiments regarding mandates and compliance
• Address the affects of network modernization on agency IT security challenges
• Quantify security issues regarding the Internet of Things (IoT)
Throughout the report, notable significant differences are reported.
Due to rounding, graphs may not add up to 100%.
BACKGROUND AND OBJECTIVES

1%
2%
3%
40%
55%
0% 10% 20% 30% 40% 50% 60%
Federal Legislature
Federal Judicial Branch
Intelligence Agency
Department of Defense or
Military Service
Federal, Civilian or Independent
Government Agency
Organizations Represented
RESPONDENT CLASSIFICATIONS 3
• A variety of defense and civilian agencies are represented in the survey sample.
Organizations Represented
Which of the following best describes your current employer?
What agency do you work for?
N=200
Sample Organizations Represented
(In Alphabetical Order)
Air Force Department of the Interior (DOI)
Army Department of Transportation (DOT)
Department of Commerce (DOC) Department of Treasury (TREAS)
Department of Defense (DOD) Department of Veteran Affairs (VA)
Department of Health and Human
Services (HHS)
Environmental Protection Agency
(EPA)
Department of Homeland Security
(DHS)
Navy
Department of Justice (DOJ)
Securities and Exchange Commission
(SEC)
Department of Labor (DOL) Social Security Administration (SSA)
Department of State (DOS) US Postal Service (USPS)

• All respondents are knowledgeable or involved in decisions and recommendations regarding IT operations and
management and IT security solutions and services.
Decision Making Involvement
How are you involved in your organization’s decisions or recommendations regarding IT operations and management and IT security solutions and services? (select all that apply)
N=200
Note: Multiple responses allowed
6%
24%
46%
47%
50%
51%
0% 10% 20% 30% 40% 50% 60%
Other involvement
Make the final decision
Manage or implement security/IT operations
Evaluate or recommend firms
Develop technical requirements
On a team that makes decisions

• A variety of job functions and tenures are represented in the sample, with most being IT management and
working at their current agency for over 20 years.
Job Function and Tenure
Which of the following best describes your current job title/function?
How long have you been working at your current agency?
N=200
12%
2%
6%
11%
14%
26%
28%
0% 10% 20% 30%
Other
CSO/CISO
CIO/CTO
Security/IA director
or manager
Security/IA staff
IT/IS staff
IT director/manager
Job Function
Examples Include:
• Director of
Procurement
• Program Manager
• Strategic Planner
1%
4%
8%
20%
21%
18%
28%
0% 10% 20% 30% 40%
Less than 1 Year
1-2 Years
3-4 Years
5-9 Years
10-14 Years
15-20 Years
20+ Years
Tenure

AGENCY ASSESSMENT 6
Agency Assessment – Evidence of IT Controls
How would you describe your agency’s ability to provide managers and auditors with evidence of appropriate IT controls?
N=200
2%
18%
52%
27%
Poor - We lack the necessary tools & documentation to
provide evidence of IT controls.
Fair - We have outdated policies, procedures and
technology in place. Reports are generated on an ad-hoc
basis.
Good - We have updated policies, procedures and
technology. Reports are generated on a regular basis.
Excellent - We have documented policies, procedures and
technology in place to validate controls via scheduled
reports.
0% 10% 20% 30% 40% 50% 60%
Excellent/
Good
79%
• More than three quarters describe their agency’s ability to provide managers and auditors with evidence of
appropriate IT controls as either excellent or good.

IT SECURITY OBSTACLES, THREATS AND BREACHES 7
• Similar to the 2016 survey, budget constraints top the list of significant obstacles to maintaining or improving agency IT
security.
IT Security Obstacles
What is the most significant high-level obstacle to maintaining or improving IT security at your agency?
N=200
2%
2%
4%
5%
7%
8%
11%
15%
16%
30%
0% 5% 10% 15% 20% 25% 30% 35%
Other
Lack of technical solutions available at my agency
Lack of clear standards
Lack of manpower
Inadequate collaboration with other internal teams
Lack of training for personnel
Lack of top-level direction and leadership
Complexity of internal environment
Competing priorities and other initiatives
Budget constraints
By Agency Type
Defense Civilian
2% 11%
By Agency’s Ability to Provide
Managers with Evidence of IT Controls
Excellent Good Fair/Poor
7% 19% 21%
= statistically significant difference

• Careless/untrained insiders and foreign governments are noted as the largest sources of security threats at federal
agencies. Significantly more defense than civilian respondents indicate malicious insiders is a security threat at
their agency.
Sources of Security Threats
What are the greatest sources of IT security threats to your agency? (select all that apply)
N=200
2%
1%
2%
12%
17%
20%
29%
34%
38%
48%
54%
0% 10% 20% 30% 40% 50% 60%
None of the above
Other
Unsure of these threats
Industrial spies
For-profit crime
Terrorists
Malicious insiders
Hacktivists
General hacking community
Foreign governments
Careless/untrained insiders
By Agency Type
Defense Civilian
40% 21%

• There has been no significant reduction in the various sources of security threats. Since 2014, respondents
indicate significant increases in threats from both careless/untrained and malicious insiders.
Sources of Security Threats – Trend
What are the greatest sources of IT security threats to your agency? (select all that apply)
N=200
Note: Multiple responses allowed = statistically significant difference= top 3 sources
2014 2015 2016 2017
Careless/untrained
insiders
42% 53% 48% 54%
Foreign governments 34% 38% 48% 48%
General hacking
community
47% 46% 46% 38%
Hacktivists 26% 30% 38% 34%
Malicious insiders 17% 23% 22% 29%
Terrorists 21% 18% 24% 20%
For-profit crime 11% 14% 18% 17%
Industrial spies 6% 10% 16% 12%

12%
10%
18%
16%
11%
14%
9%
12%
14%
16%
74%
68%
58%
59%
60%
49%
54%
45%
35%
32%
14%
22%
23%
25%
29%
37%
37%
43%
50%
52%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
APT
Mobile device theft
Physical security attacks
Insider data leakage/Theft
Denial of service
External hacking
Ransomware
Social engineering
Malware
SPAM
Decreased No Change Increased
• In the past 12 months, half of respondents have seen SPAM and malware increase at their agency.
Change in Security Threats
In the past 12 months, has your agency seen any changes in the following types of cyber security threats?
N=200

• Significantly more civilian than defense respondents
indicate seeing an increase in malware.
• A significantly greater proportion of respondents that
rate their agency’s ability to provide managers with
evidence of IT controls as fair/poor tend to indicate they
have seen an increase in SPAM, external hacking, and
denial of service.
rate their agency’s ability to provide evidence of IT
controls as excellent indicate they have seen a decrease
in most cyber security threats.
Change in Security Threats Differences
In the past 12 months, has your agency seen any changes in the following types of cyber security threats?
% DECREASED
Physical security attacks 30% 16% 10%
Insider data leakage/Theft 26% 11% 17%
Malware 26% 11% 10%
Social engineering 22% 10% 5%
Denial of service 22% 9% 2%
APT 20% 11% 2%
% INCREASED
SPAM 39% 56% 62%
External hacking 30% 35% 52%
Denial of service 26% 23% 48%
% INCREASED By Agency Type
Defense Civilian
Malware 42% 57%
N=200

• Half of respondents note a shortage of funding and resources is the greatest impediment to detection and
remediation of security issues at their agency.
Impediments of Detection and Remediation
Which of the following are the greatest impediments to detection and remediation of security issues at your agency? (select all that apply)
N=200
4%
18%
20%
20%
21%
22%
30%
31%
38%
50%
0% 10% 20% 30% 40% 50% 60%
Other
Lack of central reporting and remediation controls
Difficulty seeing into cloud-based applications and processes
Insufficient collection of operational & security-related data to detect threats
Lack of visibility into the network traffic and logs
Inability to link response systems to root out the cause
Insufficient training of IT staff to detect, respond and remediate security issues
Insufficient user awareness training
Shortage of skills
Shortage of funding and resources

• A greater proportion of respondents that indicate their agency’s ability to provide evidence of IT controls as
fair/poor indicate significantly more insufficient IT and user training, insufficient data collection and monitoring,
and lack of central reporting controls are impediments to detecting and remediating security issues.
• A significantly greater proportion of civilian than defense respondents indicate inability to link response systems
to root out the cause is an impediment to detecting and remediating issues.
Impediments Differences
Which of the following are the greatest impediments to detection and remediation of security issues at your agency? (select all that apply)
N=200
Note: Multiple responses allowed = statistically significant difference
By Agency’s Ability to Provide Managers
with Evidence of IT Controls
Insufficient training of IT staff to detect,
respond and remediate security issues
26% 26% 43%
Insufficient user awareness training 24% 29% 45%
Insufficient collection or monitoring of
operational and security-related data to
correlate events and detect threats
22% 14% 33%
Lack of central reporting and remediation
controls
13% 14% 36%
By Agency Type
Defense Civilian
Inability to link response
systems to root out the
cause
15% 27%

RISK MANAGEMENT 14
• Respondents most often indicate tools to monitor and report risk and IT modernization have contributed to
successfully managing risk. Still, one third note IT modernization has posed more of a challenge.
Managing Risk
How have the items below challenged or contributed to your agency’s ability to manage risk as part of its overall security posture in the past 12 months?
46% 43% 38% 34%
20% 34%
26%
22%
30% 19%
28%
34%
3% 5% 8% 10%
Tools to monitor and
report risk
IT modernization Network optimization Data center optimization
DK/NA
Had no effect
Posed more of a
challenge
Contributed to
success
N=200

RISK MANAGEMENT 15
• Significantly more defense than civilian respondents indicate IT modernization contributed to successfully
managing risk.
• A significantly greater proportion of respondents that rate their agency’s ability to provide evidence of IT controls
as excellent note IT modernization, tools to monitor and report risk, network optimization, and data center
optimization have contributed to success.
Managing Risk – Differences
Contributed to Success
IT modernization 61% 37% 36%
Tools to monitor and report risk 57% 40% 45%
Network optimization 54% 30% 38%
Data center optimization 48% 32% 24%
Contributed to Success By Agency Type
Defense Civilian
IT modernization 51% 37%
N=200

RISK MANAGEMENT 16
• Most respondents are split between cloud computing posing more of a challenge or having no effect.
Respondents most often indicate Internet of Things had no effect, followed by posed more of a challenge.
• A significantly greater proportion of respondents that rate their agency’s ability to provide evidence of IT controls
as fair/poor note cloud computing posed more of a challenge.
Managing Risk (Continued)
20%
9%
34%
32%
34%
42%
12% 17%
Cloud computing Internet of Things (IoT)
DK/NA
Had no effect
Posed more of a
challenge
Contributed to
success
Posed More of
a Challenge
Cloud
computing
26% 32% 48%
N=200

RISK MANAGEMENT 17
• Over half indicate regulations and mandates posed more of a challenge.
• Over half of respondents that indicate regulations contributed to success note Risk Management Framework
contributed to their ability to manage risk, while over half that indicate regulations posed more of a challenge
note Risk Management Framework posed more of a challenge to managing risk.
Managing Risk - Regulations and Mandates
How have the items below challenged or contributed to your agency’s ability to manage risk as part of its overall security posture in the past 12 months? What specific regulations and
mandates have contributed/posed more of a challenge to your agency’s ability to manage risk as part of its overall security posture in the past 12 months?
24%
52%
20%
4%
Regulations and Mandates
DK/NA
Had no effect
Posed more of a
challenge
Contributed to success
Contributed to
Success
(n=47)
Posed More of
a Challenge
(n=104)
Risk Management Framework 53% 51%
NIST Framework for Improving
Critical Infrastructure Cybersecurity 51% 38%
FISMA 47% 31%
DISA STIGs 38% 23%
NIST Publications 30% 28%
HIPAA 23% 26%
PCI 13% 8%
Other 4% 4%
N=200

RISK MANAGEMENT 18
• Respondents most often indicate their organization can detect rogue devices on the network within minutes.
Security Event Detection Speed
How long does it typically take your organization to detect and/or analyze the following security events?
N=200
4%
4%
14%
6%
5%
7%
6%
7%
4%
2%
2%
3%
3%
1%
4%
2%
2%
3%
14%
4%
3%
9%
6%
7%
8%
4%
6%
33%
27%
22%
20%
19%
16%
20%
12%
18%
30%
44%
36%
31%
36%
28%
25%
34%
25%
17%
18%
23%
30%
32%
38%
40%
42%
44%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Patches not up to date
Phishing attacks
Cross site scripting attacks
Unauthorized configuration changes
Presence of malware or ransomware
Misuse/abuse of credentials
Inappropriate internet access by insiders
Distributed denial of device attacks
Rogue devices on the network
Don't know/unsure No ability to detect Within a few weeks Within a few days Within one day Within minutes

RISK MANAGEMENT 19
• Respondents that indicate their agency’s ability to provide evidence of IT controls as excellent or good are
significantly more able than respondents who rate their agency’s ability as fair/poor to detect most security
threats within minutes.
Security Event Detection Speed Differences
N=200
Within Minutes
By Agency’s Ability to Provide Managers with
Evidence of IT Controls
Rogue devices on the network 59% 43% 29%
Inappropriate internet access by insiders 59% 39% 14%
Distributed denial of device attacks 52% 43% 24%
Misuse/abuse of credentials 50% 42% 14%
Presence of malware or ransomware 44% 32% 19%
Unauthorized configuration changes 44% 32% 7%
Cross site scripting attacks 39% 20% 10%
Patches not up to date 31% 14% 5%
Phishing attacks 30% 17% 5%

RISK MANAGEMENT 20
• Those who indicate their IT security practices are more robust than the commercial sector are significantly more
able to detect rogue devices, distributed denial of device attacks, inappropriate internet access by insiders, and
unauthorized configuration changes within minutes.
• A significantly greater proportion of defense than civilian respondents indicate their organization can detect
misuse of credentials within minutes.
Security Event Detection Speed Differences
N=200 = statistically significant difference
Within Minutes
By Agency's IT Security Practices Relative to the
Commercial Sector
More Robust On Par Not as Robust
Rogue devices on the
network 62% 38% 28%
Distributed denial of device
attacks
52% 36% 36%
Inappropriate internet
access by insiders 49% 39% 23%
Unauthorized configuration
changes 45% 25% 15%
Within Minutes By Agency Type
Defense Civilian
Misuse/Abuse of
credentials
48% 32%

6% 4% 4% 4% 4%
6%
3% 7% 12% 12%
46%
44%
45%
45% 48%
42% 50% 44% 38% 34%
IDENTIFY PROTECT DETECT RESPOND RECOVER
Mature
Somewhat mature
Not at all mature
DK
COMPLIANCE AND MANDATE SENTIMENTS 21
• The majority of respondents describe their agency at least somewhat mature for all five areas of the NIST
Framework for Improving Critical Infrastructure Cybersecurity. The weakest areas are RESPOND and RECOVER
with 12% noting they are not at all mature.
NIST Framework Maturity
How would you describe your agency’s maturity of each of the five areas of the NIST Framework for Improving Critical Infrastructure Cybersecurity?
N=200

indicate their IT security practices are at least on par with the
commercial sector, respondents that indicate their agency’s
ability to provide evidence of IT controls as excellent, and
respondents prepared to manage IoT devices describe their
agency’s maturity in each of the five areas of the NIST
Framework for Improving Critical Infrastructure Cybersecurity
as mature.
NIST Framework Maturity
How would you describe your agency’s maturity of each of the five areas of the NIST Framework for Improving Critical Infrastructure Cybersecurity?
Mature
Identify 67% 35% 31%
Protect 67% 45% 38%
Detect 65% 38% 36%
Respond 59% 36% 19%
Recover 61% 30% 12%
Mature
By Agency's IT Security Practices Relative to
the Commercial Sector
Identify 65% 36% 18%
Protect 70% 47% 21%
Detect 71% 39% 10%
Respond 52% 37% 18%
Recover 51% 32% 13%
Mature
By Preparedness to Discover, Manage and
Secure Internet of Things (IoT) Devices
Completely
Prepared/Some
Enhancements
Required
Major Upgrades of
Security Controls
Needed/Totally
Unprepared
Identify 47% 32%
Protect 57% 30%
Detect 54% 21%
Respond 46% 19%
Recover 43% 12%
N=200

• Over half of respondents agree the NIST Cybersecurity Framework has been successful in promoting a dialog
about managing risk. Opinions are split as to whether federal IT professionals fully understand the Framework.
NIST Framework
To what extent do you agree or disagree with the following statements regarding IT security?
10%
6%
25%
10%
27%
30%
33%
44%
6%
11%
0% 20% 40% 60% 80% 100%
Federal IT professionals fully understand the NIST
Cybersecurity Framework
Since its introduction in 2014 the NIST Cybersecurity
Framework has been successful in promoting a dialogue
about managing risk
Strongly disagree Somewhat disagree Neither agree or disagree Somewhat agree Strongly agree
% Strongly/
Somewhat
Agree
55%
38%
N=200

4%
4%
2%
9%
10%
8%
30%
28%
15%
45%
41%
48%
12%
18%
26%
0% 20% 40% 60% 80% 100%
My agency’s ability to pass OMB, CCRI and other audits
has improved
Compliance has helped my agency improve its
cybersecurity capabilities
Regarding IT security, federal agencies are more proactive
than they were 5 years ago
• Three quarters agree federal agencies are more proactive regarding IT security than they were five years ago.
Security Improvement
% Strongly/
Somewhat
Agree
75%
60%
56%
N=200

• Seven in ten agree that being compliant does not necessarily mean being secure.
Compliance and Risk Management
4%
2%
4%
18%
14%
8%
24%
26%
18%
43%
46%
32%
10%
13%
39%
0% 20% 40% 60% 80% 100%
Security regulations and mandates lead to complacency
since tasks are performed to ‘check a box’
Risk management is too often treated as a compliance
issue at my agency
Being compliant does not necessarily mean being secure
% Strongly/
Somewhat
Agree
70%
58%
54%
N=200

• Over two thirds agree implementation of relevant standards is critical to achieve their cybersecurity targets.
Success Factors
4%
3%
8%
4%
26%
26%
44%
40%
18%
28%
0% 20% 40% 60% 80% 100%
Agencies that merge and balance both risk management
and compliance are more likely to avoid IT security issues
Implementation of relevant standards is critical to achieve
our cybersecurity targets
% Strongly/
Somewhat
Agree
68%
62%
N=200

• A significantly greater proportion of civilian than defense respondents agree federal IT professionals fully
understand the NIST Cybersecurity Framework.
excellent or good and respondents that are prepared to manage IoT devices agree their agency’s ability to pass
OMB, CCRI and other audits has improved.
Sentiment Differences
% Strongly /Somewhat Agree By Agency Type
Defense Civilian
Federal IT professionals fully understand
the NIST Cybersecurity Framework
28% 46%
% Strongly /Somewhat Agree
My agency’s ability to pass
OMB, CCRI and other audits
has improved
63% 63% 31%
% Strongly /Somewhat Agree
Completely
Prepared/Some
Enhancements
Required
Major Upgrades of
Security Controls
Needed/Totally
Unprepared
My agency’s ability to pass
OMB, CCRI and other audits
has improved
62% 42%
N=200

NETWORK MODERNIZATION 28
• Two thirds think federal agencies’ efforts regarding network modernization has resulted in an increase in IT
security challenges.
Network Modernization
Do you think federal agencies’ efforts regarding network modernization have resulted in an increase or decrease in the IT security challenges faced?
N=200
66%
13%
20%
Increase
Decrease
No effect

• Half of the respondents that believe IT security challenges have increased as a result of network modernization
indicate it is due to more vulnerabilities in new technology stacks, the burden of supporting new and legacy
systems and lack of training on new technologies.
Increased Security Challenges
What are the reasons you believe IT security challenges have increased as a result of network modernization? (select all that apply)
N=133
3%
39%
42%
50%
51%
53%
0% 10% 20% 30% 40% 50% 60%
Other
New technologies are not deployed correctly
New technologies are not fully deployed
Lack of training on new technologies
Burden of supporting new technologies and legacy systems
More vulnerabilities in new technology stacks

What are the reasons you believe IT security challenges have decreased as a result of network modernization? (select all that apply)
• Most respondents that believe IT security challenges have decreased as a result of network modernization believe
it is due to better tools for automated protection and remediation.
Decreased Security Challenges
N=26
0%
19%
31%
54%
65%
85%
0% 20% 40% 60% 80% 100%
Other
Fewer systems to maintain
Newer technologies contain smaller attack surfaces
Less legacy equipment to maintain
Stronger built-in security features of new equipment
Better tools for automated protection and remediation

• Lack of funding is the top factor that respondents indicate hinders their agency’s ability to advance its network
modernization efforts. One half also noted the federal procurement process as hindrance.
Obstacles of Network Modernization
What are the top three factors that hinder your agency’s ability to advance its network modernization efforts? (select three)
N=200
2%
20%
24%
31%
34%
38%
50%
55%
0% 10% 20% 30% 40% 50% 60%
Other
Unrealistic goals and timelines
Lack of top management commitment
Increasing network complexity
Lack of skilled staff
Conflicting priorities
Complex and long federal procurement process
Lack of funding

TOOLS AND PRACTICES 32
• Over two thirds indicate the effectiveness is high for Smart Card/CAC to foster network and application security.
Security Product Effectiveness
The following are tools and practices that foster network and application security. Please indicate the effectiveness for each.
8%
6%
8%
2%
4%
4%
4%
3%
2%
3%
14%
7%
9%
11%
8%
8%
7%
6%
4%
4%
48%
51%
48%
49%
47%
44%
44%
44%
38%
26%
32%
36%
36%
38%
42%
45%
46%
48%
56%
68%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Messaging security software
SIEM software
File integrity monitoring software
Web application security tools
Configuration management software
Patch management software
Network admission control (NAC) solutions
Endpoint security software
Identity and access management tools
Smart Card / Common Access Card
Don't use Low Moderate High
N=200

TOOLS AND PRACTICES 33
• A significantly greater proportion of respondents that indicate their agency’s ability to provide evidence of IT
controls is excellent indicate most tools are high in effectiveness in fostering network and application security.
• A significantly greater proportion of defense respondents indicate Smart Cards are effective, while significantly
more civilian respondents indicate endpoint security, patch management, and messaging security software are
highly effective.
Security Product Effectiveness Differences
The following are tools and practices that foster network and application security. For each, please indicate the effectiveness for each.
High
By Agency’s Ability to Provide Managers with
Evidence of IT Controls
Endpoint security software 61% 44% 38%
Network admission control (NAC) solutions 61% 40% 38%
Configuration management software 57% 41% 21%
Web application security tools 56% 30% 33%
Patch management software 54% 46% 31%
File integrity monitoring software 52% 38% 10%
SIEM software 52% 35% 21%
Messaging security software 46% 28% 21%
High By Agency Type
Defense Civilian
Smart Card / Common access
card for authentication 76% 61%
Endpoint security software 36% 56%
Patch management software 30% 56%
Messaging security software 20% 40%
N=200

INTERNET OF THINGS 34
• The majority of respondents indicate some enhancements are required to discover, manage and secure Internet
of Things (IoT) devices.
excellent and those who indicate their IT security practices are more robust than the commercial sector are
completely prepared.
Agency Assessment – Prepared for IoT
Given the current state of your agency’s overall security controls, how would you rate your preparedness to discover, manage and secure Internet of Things (IoT) devices?
N=200
5%
24%
60%
12%
Totally unprepared
Major upgrades of security
controls needed
Some enhancements required
Completely prepared
0% 10% 20% 30% 40% 50% 60% 70%
By Agency's IT Security Practices Relative to
the Commercial Sector
Completely prepared 23% 8% 3%
Some enhancements required 61% 65% 44%
Major upgrades needed 14% 22% 44%
Completely prepared 30% 7% 2%
Some enhancements required 52% 68% 48%
Major upgrades needed 15% 24% 33%

INTERNET OF THINGS 35
• Increased attack surface is noted most often as the greatest security challenge that agencies will face as the
Internet of Things (IoT) evolves.
IoT Security Challenges
What are the three greatest security challenges and concerns that agencies will face as the Internet of Things (IoT) evolves? (select three)
N=200
2%
22%
22%
26%
33%
35%
36%
36%
38%
0% 5% 10% 15% 20% 25% 30% 35% 40%
Other
Collection of IoT device data by third parties
Inability to detect and inventory IoT devices
Lack of updates of IoT devices
Out of date software/firmware running on IoT devices
Potential data privacy issues
Lack of IT staff knowledgeable of IoT
Inconsistency of the security on connected devices
Increased attack surface

SECURITY COMPARISON TO COMMERCIAL SECTOR 36
• Nearly half feel their agency’s security practices and protocols are on par with the commercial sector.
Security Comparison to Commercial Sector
In general, how would you compare your agency’s IT security practices and protocols relative to those in the commercial sector? My agency’s security practices and protocols are:
N=200
34%
46%
20%
More robust than the
commercial sector
On par with the
commercial sector
Not as robust as the
commercial sector
0%
10%
20%
30%
40%
50%
My agency’s security practices and protocols are…
commercial sector 52% 33% 17%
By Agency Type
Defense Civilian
commercial sector
45% 26%
Completely
Prepared/Some
Enhancements
Required
Major Upgrades of
Security Controls
Needed/Totally
Unprepared
commercial sector 41% 19%
• Defense respondents, those who rate their agency’s ability to provide
evidence of IT controls as excellent, and those that are prepared to manage
IoT devices indicate significantly more that their agency’s security practices
are more robust than the commercial sector.

Select Comments
COMMENTS 37
Please feel free to share any other comments or concerns regarding your agency’s IT security challenges and success stories. (open end)
Hard to hire skilled people in a timely fashion, huge gaps in knowledge. [CIVILIAN]
Despite all the outside threats, our worst security problems have come from insider issues - some of it malfeasance, some of
it ignorance, some of it laziness. This despite non-stop documented training in all these area. [DEFENSE]
Conflicting compliance and procurement regulations. [DEFENSE]
A big problem for us is a desire on the part of many to integrate our software system with contractors that serve us. Not a
bad idea except we literally have 50,000 different contractors we deal with on a daily basis. This may be possible for some of
the largest contractors but not all. [DEFENSE]
Poor BYOD policies have led to more challenges. [DEFENSE]
Our equipment is shamefully outdated. [CIVILIAN]
Complexity of regulatory framework adds to challenges. [DEFENSE]
“

KEY TAKEAWAYS 38
Key Takeaways
• Overall, the majority of agency decision makers rate themselves highly for evidence of appropriate IT
controls and believe they are on par with or more robust than the commercial sector in terms of IT security
practices and tools. Three quarters believe federal agencies are more proactive regarding IT security than
five years ago.
• Budget constraints continue to be an obstacle to improving IT security at their agencies as well as impeding
the detection and remediation of security issues. Lack of funding is also hindering agencies’ ability to
advance its network modernization efforts.
• Careless/untrained insiders, foreign governments and the general hacking community continue to be the
top sources of IT security threats similar to the past three years. SPAM and Malware are noted as
increasing in the last 12 months.
• Though the majority agree that compliance has helped their agency improve its cybersecurity capabilities,
seven in ten believe that being compliant does not necessarily mean being secure. Over half believe that
security regulations and mandates can lead to complacency since tasks are performed to ‘check a box’.

KEY TAKEAWAYS 39
Key Takeaways
• The majority believe that NIST’s Cybersecurity Framework has been successful in promoting a dialogue
about managing risk and more than eight in ten indicate their agencies are at least somewhat mature in
each of the five areas of the Framework. Still over a third agree that federal IT professionals don’t fully
understand the Framework.
• Two-thirds think that federal agencies’ effort regarding network modernization has resulted in an increase
of IT security challenges. Respondents cite more vulnerabilities in new technology stacks, the burden of
supporting new and legacy systems and lack of training on new technologies as reasons for the increased
challenges.
• Few feel their agencies are completely prepared to discover, manage and secure the Internet of Things. The
majority believe that at least some enhancements are required. IoT brings a number of security challenges,
most notably an increased attack surface, inconsistency of security in connected devices and the lack of
knowledgeable IT staff.
• Smart Cards and identify access management tools are rated most often as highly effective tools that foster
network and application security.

RESEARCH TO INFORM STRATEGIC DECISION-MAKING 40
Contact Information
Laurie Morrow, VP, Research Strategy | Market Connections, Inc.
11350 Random Hills Road, Suite 800 | Fairfax, VA 22033 | 703.378.2025
LaurieM@marketconnectionsinc.com
Lisa M. Sherwin Wulf, Director of Marketing - Federal & National Government| SolarWinds
703.386.2628
Lisa.SherwinWulf@solarwinds.com
www.solarwinds.com/federal
LinkedIn: SolarWinds Government

SolarWinds Federal Cybersecurity Survey 2017: Government Regulations, IT Modernization, and Careless Insiders Undermine Federal Agencies’ Security Posture

More Related Content

What's hot

Similar to SolarWinds Federal Cybersecurity Survey 2017: Government Regulations, IT Modernization, and Careless Insiders Undermine Federal Agencies’ Security Posture

More from SolarWinds

Recently uploaded

SolarWinds Federal Cybersecurity Survey 2017: Government Regulations, IT Modernization, and Careless Insiders Undermine Federal Agencies’ Security Posture

Editor's Notes