Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
© 2017 Market Connections, Inc.
SolarWinds®
Federal Cybersecurity Survey
Summary Report
2017
© 2017 SOLARWINDS WORLDWIDE, ...
SOLARWINDS FEDERAL CYBERSECURITY SURVEY SUMMARY REPORT | MARKET CONNECTIONS, INC. | 703.378.2025
© 2017 SOLARWINDS WORLDWI...
SOLARWINDS FEDERAL CYBERSECURITY SURVEY SUMMARY REPORT | MARKET CONNECTIONS, INC. | 703.378.2025
© 2017 SOLARWINDS WORLDWI...
SOLARWINDS FEDERAL CYBERSECURITY SURVEY SUMMARY REPORT | MARKET CONNECTIONS, INC. | 703.378.2025
© 2017 SOLARWINDS WORLDWI...
SOLARWINDS FEDERAL CYBERSECURITY SURVEY SUMMARY REPORT | MARKET CONNECTIONS, INC. | 703.378.2025
© 2017 SOLARWINDS WORLDWI...
SOLARWINDS FEDERAL CYBERSECURITY SURVEY SUMMARY REPORT | MARKET CONNECTIONS, INC. | 703.378.2025
© 2017 SOLARWINDS WORLDWI...
SOLARWINDS FEDERAL CYBERSECURITY SURVEY SUMMARY REPORT | MARKET CONNECTIONS, INC. | 703.378.2025
© 2017 SOLARWINDS WORLDWI...
SOLARWINDS FEDERAL CYBERSECURITY SURVEY SUMMARY REPORT | MARKET CONNECTIONS, INC. | 703.378.2025
© 2017 SOLARWINDS WORLDWI...
SOLARWINDS FEDERAL CYBERSECURITY SURVEY SUMMARY REPORT | MARKET CONNECTIONS, INC. | 703.378.2025
© 2017 SOLARWINDS WORLDWI...
SOLARWINDS FEDERAL CYBERSECURITY SURVEY SUMMARY REPORT | MARKET CONNECTIONS, INC. | 703.378.2025
© 2017 SOLARWINDS WORLDWI...
SOLARWINDS FEDERAL CYBERSECURITY SURVEY SUMMARY REPORT | MARKET CONNECTIONS, INC. | 703.378.2025
© 2017 SOLARWINDS WORLDWI...
SOLARWINDS FEDERAL CYBERSECURITY SURVEY SUMMARY REPORT | MARKET CONNECTIONS, INC. | 703.378.2025
© 2017 SOLARWINDS WORLDWI...
SOLARWINDS FEDERAL CYBERSECURITY SURVEY SUMMARY REPORT | MARKET CONNECTIONS, INC. | 703.378.2025
© 2017 SOLARWINDS WORLDWI...
SOLARWINDS FEDERAL CYBERSECURITY SURVEY SUMMARY REPORT | MARKET CONNECTIONS, INC. | 703.378.2025
© 2017 SOLARWINDS WORLDWI...
SOLARWINDS FEDERAL CYBERSECURITY SURVEY SUMMARY REPORT | MARKET CONNECTIONS, INC. | 703.378.2025
© 2017 SOLARWINDS WORLDWI...
SOLARWINDS FEDERAL CYBERSECURITY SURVEY SUMMARY REPORT | MARKET CONNECTIONS, INC. | 703.378.2025
© 2017 SOLARWINDS WORLDWI...
SOLARWINDS FEDERAL CYBERSECURITY SURVEY SUMMARY REPORT | MARKET CONNECTIONS, INC. | 703.378.2025
© 2017 SOLARWINDS WORLDWI...
SOLARWINDS FEDERAL CYBERSECURITY SURVEY SUMMARY REPORT | MARKET CONNECTIONS, INC. | 703.378.2025
© 2017 SOLARWINDS WORLDWI...
SOLARWINDS FEDERAL CYBERSECURITY SURVEY SUMMARY REPORT | MARKET CONNECTIONS, INC. | 703.378.2025
© 2017 SOLARWINDS WORLDWI...
SOLARWINDS FEDERAL CYBERSECURITY SURVEY SUMMARY REPORT | MARKET CONNECTIONS, INC. | 703.378.2025
© 2017 SOLARWINDS WORLDWI...
SOLARWINDS FEDERAL CYBERSECURITY SURVEY SUMMARY REPORT | MARKET CONNECTIONS, INC. | 703.378.2025
© 2017 SOLARWINDS WORLDWI...
SOLARWINDS FEDERAL CYBERSECURITY SURVEY SUMMARY REPORT | MARKET CONNECTIONS, INC. | 703.378.2025
© 2017 SOLARWINDS WORLDWI...
SOLARWINDS FEDERAL CYBERSECURITY SURVEY SUMMARY REPORT | MARKET CONNECTIONS, INC. | 703.378.2025
© 2017 SOLARWINDS WORLDWI...
SOLARWINDS FEDERAL CYBERSECURITY SURVEY SUMMARY REPORT | MARKET CONNECTIONS, INC. | 703.378.2025
© 2017 SOLARWINDS WORLDWI...
SOLARWINDS FEDERAL CYBERSECURITY SURVEY SUMMARY REPORT | MARKET CONNECTIONS, INC. | 703.378.2025
© 2017 SOLARWINDS WORLDWI...
SOLARWINDS FEDERAL CYBERSECURITY SURVEY SUMMARY REPORT | MARKET CONNECTIONS, INC. | 703.378.2025
© 2017 SOLARWINDS WORLDWI...
SOLARWINDS FEDERAL CYBERSECURITY SURVEY SUMMARY REPORT | MARKET CONNECTIONS, INC. | 703.378.2025
© 2017 SOLARWINDS WORLDWI...
SOLARWINDS FEDERAL CYBERSECURITY SURVEY SUMMARY REPORT | MARKET CONNECTIONS, INC. | 703.378.2025
© 2017 SOLARWINDS WORLDWI...
SOLARWINDS FEDERAL CYBERSECURITY SURVEY SUMMARY REPORT | MARKET CONNECTIONS, INC. | 703.378.2025
© 2017 SOLARWINDS WORLDWI...
SOLARWINDS FEDERAL CYBERSECURITY SURVEY SUMMARY REPORT | MARKET CONNECTIONS, INC. | 703.378.2025
© 2017 SOLARWINDS WORLDWI...
SOLARWINDS FEDERAL CYBERSECURITY SURVEY SUMMARY REPORT | MARKET CONNECTIONS, INC. | 703.378.2025
© 2017 SOLARWINDS WORLDWI...
SOLARWINDS FEDERAL CYBERSECURITY SURVEY SUMMARY REPORT | MARKET CONNECTIONS, INC. | 703.378.2025
© 2017 SOLARWINDS WORLDWI...
SOLARWINDS FEDERAL CYBERSECURITY SURVEY SUMMARY REPORT | MARKET CONNECTIONS, INC. | 703.378.2025
© 2017 SOLARWINDS WORLDWI...
SOLARWINDS FEDERAL CYBERSECURITY SURVEY SUMMARY REPORT | MARKET CONNECTIONS, INC. | 703.378.2025
© 2017 SOLARWINDS WORLDWI...
SOLARWINDS FEDERAL CYBERSECURITY SURVEY SUMMARY REPORT | MARKET CONNECTIONS, INC. | 703.378.2025
© 2017 SOLARWINDS WORLDWI...
SOLARWINDS FEDERAL CYBERSECURITY SURVEY SUMMARY REPORT | MARKET CONNECTIONS, INC. | 703.378.2025
© 2017 SOLARWINDS WORLDWI...
SOLARWINDS FEDERAL CYBERSECURITY SURVEY SUMMARY REPORT | MARKET CONNECTIONS, INC. | 703.378.2025
© 2017 SOLARWINDS WORLDWI...
SOLARWINDS FEDERAL CYBERSECURITY SURVEY SUMMARY REPORT | MARKET CONNECTIONS, INC. | 703.378.2025
© 2017 SOLARWINDS WORLDWI...
SOLARWINDS FEDERAL CYBERSECURITY SURVEY SUMMARY REPORT | MARKET CONNECTIONS, INC. | 703.378.2025
© 2017 SOLARWINDS WORLDWI...
SOLARWINDS FEDERAL CYBERSECURITY SURVEY SUMMARY REPORT | MARKET CONNECTIONS, INC. | 703.378.2025
© 2017 SOLARWINDS WORLDWI...
Upcoming SlideShare
Loading in …5
×

SolarWinds Federal Cybersecurity Survey 2017: Government Regulations, IT Modernization, and Careless Insiders Undermine Federal Agencies’ Security Posture

1,639 views

Published on

SolarWinds, a leading provider of powerful and affordable IT management software, revealed on September 18, 2017 the findings of its fourth annual Federal Cybersecurity Survey*. Featuring insights from 200 civilian and Department of Defense (DoD) IT decision-makers, the survey explores the security challenges faced by public sector IT professionals, quantifies the sources and types of IT security threats, and evaluates the impact of IT modernization initiatives, mandates, and compliance on government security preparedness.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

SolarWinds Federal Cybersecurity Survey 2017: Government Regulations, IT Modernization, and Careless Insiders Undermine Federal Agencies’ Security Posture

  1. 1. © 2017 Market Connections, Inc. SolarWinds® Federal Cybersecurity Survey Summary Report 2017 © 2017 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.
  2. 2. SOLARWINDS FEDERAL CYBERSECURITY SURVEY SUMMARY REPORT | MARKET CONNECTIONS, INC. | 703.378.2025 © 2017 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. Background and Objectives 2 SolarWinds contracted Market Connections to design and conduct an online survey among 200 federal government IT decision makers and influencers in July 2017. SolarWinds was not revealed as the sponsor of the survey. The main objectives of the survey were to: • Determine challenges faced by IT professionals to prevent IT security threats • Quantify sources and types of IT security threats • Determine elements that aid successful management of risk • Gauge sentiments regarding mandates and compliance • Address the affects of network modernization on agency IT security challenges • Quantify security issues regarding the Internet of Things (IoT) Throughout the report, notable significant differences are reported. Due to rounding, graphs may not add up to 100%. BACKGROUND AND OBJECTIVES
  3. 3. SOLARWINDS FEDERAL CYBERSECURITY SURVEY SUMMARY REPORT | MARKET CONNECTIONS, INC. | 703.378.2025 © 2017 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. 1% 2% 3% 40% 55% 0% 10% 20% 30% 40% 50% 60% Federal Legislature Federal Judicial Branch Intelligence Agency Department of Defense or Military Service Federal, Civilian or Independent Government Agency Organizations Represented RESPONDENT CLASSIFICATIONS 3 • A variety of defense and civilian agencies are represented in the survey sample. Organizations Represented Which of the following best describes your current employer? What agency do you work for? N=200 Sample Organizations Represented (In Alphabetical Order) Air Force Department of the Interior (DOI) Army Department of Transportation (DOT) Department of Commerce (DOC) Department of Treasury (TREAS) Department of Defense (DOD) Department of Veteran Affairs (VA) Department of Health and Human Services (HHS) Environmental Protection Agency (EPA) Department of Homeland Security (DHS) Navy Department of Justice (DOJ) Securities and Exchange Commission (SEC) Department of Labor (DOL) Social Security Administration (SSA) Department of State (DOS) US Postal Service (USPS)
  4. 4. SOLARWINDS FEDERAL CYBERSECURITY SURVEY SUMMARY REPORT | MARKET CONNECTIONS, INC. | 703.378.2025 © 2017 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. RESPONDENT CLASSIFICATIONS 4 • All respondents are knowledgeable or involved in decisions and recommendations regarding IT operations and management and IT security solutions and services. Decision Making Involvement How are you involved in your organization’s decisions or recommendations regarding IT operations and management and IT security solutions and services? (select all that apply) N=200 Note: Multiple responses allowed 6% 24% 46% 47% 50% 51% 0% 10% 20% 30% 40% 50% 60% Other involvement Make the final decision Manage or implement security/IT operations Evaluate or recommend firms Develop technical requirements On a team that makes decisions
  5. 5. SOLARWINDS FEDERAL CYBERSECURITY SURVEY SUMMARY REPORT | MARKET CONNECTIONS, INC. | 703.378.2025 © 2017 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. RESPONDENT CLASSIFICATIONS 5 • A variety of job functions and tenures are represented in the sample, with most being IT management and working at their current agency for over 20 years. Job Function and Tenure Which of the following best describes your current job title/function? How long have you been working at your current agency? N=200 12% 2% 6% 11% 14% 26% 28% 0% 10% 20% 30% Other CSO/CISO CIO/CTO Security/IA director or manager Security/IA staff IT/IS staff IT director/manager Job Function Examples Include: • Director of Procurement • Program Manager • Strategic Planner 1% 4% 8% 20% 21% 18% 28% 0% 10% 20% 30% 40% Less than 1 Year 1-2 Years 3-4 Years 5-9 Years 10-14 Years 15-20 Years 20+ Years Tenure
  6. 6. SOLARWINDS FEDERAL CYBERSECURITY SURVEY SUMMARY REPORT | MARKET CONNECTIONS, INC. | 703.378.2025 © 2017 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. AGENCY ASSESSMENT 6 Agency Assessment – Evidence of IT Controls How would you describe your agency’s ability to provide managers and auditors with evidence of appropriate IT controls? N=200 2% 18% 52% 27% Poor - We lack the necessary tools & documentation to provide evidence of IT controls. Fair - We have outdated policies, procedures and technology in place. Reports are generated on an ad-hoc basis. Good - We have updated policies, procedures and technology. Reports are generated on a regular basis. Excellent - We have documented policies, procedures and technology in place to validate controls via scheduled reports. 0% 10% 20% 30% 40% 50% 60% Excellent/ Good 79% • More than three quarters describe their agency’s ability to provide managers and auditors with evidence of appropriate IT controls as either excellent or good.
  7. 7. SOLARWINDS FEDERAL CYBERSECURITY SURVEY SUMMARY REPORT | MARKET CONNECTIONS, INC. | 703.378.2025 © 2017 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. IT SECURITY OBSTACLES, THREATS AND BREACHES 7 • Similar to the 2016 survey, budget constraints top the list of significant obstacles to maintaining or improving agency IT security. IT Security Obstacles What is the most significant high-level obstacle to maintaining or improving IT security at your agency? N=200 2% 2% 4% 5% 7% 8% 11% 15% 16% 30% 0% 5% 10% 15% 20% 25% 30% 35% Other Lack of technical solutions available at my agency Lack of clear standards Lack of manpower Inadequate collaboration with other internal teams Lack of training for personnel Lack of top-level direction and leadership Complexity of internal environment Competing priorities and other initiatives Budget constraints By Agency Type Defense Civilian 2% 11% By Agency’s Ability to Provide Managers with Evidence of IT Controls Excellent Good Fair/Poor 7% 19% 21% = statistically significant difference
  8. 8. SOLARWINDS FEDERAL CYBERSECURITY SURVEY SUMMARY REPORT | MARKET CONNECTIONS, INC. | 703.378.2025 © 2017 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. IT SECURITY OBSTACLES, THREATS AND BREACHES 8 • Careless/untrained insiders and foreign governments are noted as the largest sources of security threats at federal agencies. Significantly more defense than civilian respondents indicate malicious insiders is a security threat at their agency. Sources of Security Threats What are the greatest sources of IT security threats to your agency? (select all that apply) N=200 Note: Multiple responses allowed 2% 1% 2% 12% 17% 20% 29% 34% 38% 48% 54% 0% 10% 20% 30% 40% 50% 60% None of the above Other Unsure of these threats Industrial spies For-profit crime Terrorists Malicious insiders Hacktivists General hacking community Foreign governments Careless/untrained insiders By Agency Type Defense Civilian 40% 21% = statistically significant difference
  9. 9. SOLARWINDS FEDERAL CYBERSECURITY SURVEY SUMMARY REPORT | MARKET CONNECTIONS, INC. | 703.378.2025 © 2017 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. IT SECURITY OBSTACLES, THREATS AND BREACHES 9 • There has been no significant reduction in the various sources of security threats. Since 2014, respondents indicate significant increases in threats from both careless/untrained and malicious insiders. Sources of Security Threats – Trend What are the greatest sources of IT security threats to your agency? (select all that apply) N=200 Note: Multiple responses allowed = statistically significant difference= top 3 sources 2014 2015 2016 2017 Careless/untrained insiders 42% 53% 48% 54% Foreign governments 34% 38% 48% 48% General hacking community 47% 46% 46% 38% Hacktivists 26% 30% 38% 34% Malicious insiders 17% 23% 22% 29% Terrorists 21% 18% 24% 20% For-profit crime 11% 14% 18% 17% Industrial spies 6% 10% 16% 12%
  10. 10. SOLARWINDS FEDERAL CYBERSECURITY SURVEY SUMMARY REPORT | MARKET CONNECTIONS, INC. | 703.378.2025 © 2017 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. 12% 10% 18% 16% 11% 14% 9% 12% 14% 16% 74% 68% 58% 59% 60% 49% 54% 45% 35% 32% 14% 22% 23% 25% 29% 37% 37% 43% 50% 52% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% APT Mobile device theft Physical security attacks Insider data leakage/Theft Denial of service External hacking Ransomware Social engineering Malware SPAM Decreased No Change Increased IT SECURITY OBSTACLES, THREATS AND BREACHES 10 • In the past 12 months, half of respondents have seen SPAM and malware increase at their agency. Change in Security Threats In the past 12 months, has your agency seen any changes in the following types of cyber security threats? N=200
  11. 11. SOLARWINDS FEDERAL CYBERSECURITY SURVEY SUMMARY REPORT | MARKET CONNECTIONS, INC. | 703.378.2025 © 2017 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. IT SECURITY OBSTACLES, THREATS AND BREACHES 11 • Significantly more civilian than defense respondents indicate seeing an increase in malware. • A significantly greater proportion of respondents that rate their agency’s ability to provide managers with evidence of IT controls as fair/poor tend to indicate they have seen an increase in SPAM, external hacking, and denial of service. • A significantly greater proportion of respondents that rate their agency’s ability to provide evidence of IT controls as excellent indicate they have seen a decrease in most cyber security threats. Change in Security Threats Differences In the past 12 months, has your agency seen any changes in the following types of cyber security threats? % DECREASED By Agency’s Ability to Provide Managers with Evidence of IT Controls Excellent Good Fair/Poor Physical security attacks 30% 16% 10% Insider data leakage/Theft 26% 11% 17% Malware 26% 11% 10% Social engineering 22% 10% 5% Denial of service 22% 9% 2% APT 20% 11% 2% = statistically significant difference % INCREASED By Agency’s Ability to Provide Managers with Evidence of IT Controls Excellent Good Fair/Poor SPAM 39% 56% 62% External hacking 30% 35% 52% Denial of service 26% 23% 48% % INCREASED By Agency Type Defense Civilian Malware 42% 57% N=200
  12. 12. SOLARWINDS FEDERAL CYBERSECURITY SURVEY SUMMARY REPORT | MARKET CONNECTIONS, INC. | 703.378.2025 © 2017 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. IT SECURITY OBSTACLES, THREATS AND BREACHES 12 • Half of respondents note a shortage of funding and resources is the greatest impediment to detection and remediation of security issues at their agency. Impediments of Detection and Remediation Which of the following are the greatest impediments to detection and remediation of security issues at your agency? (select all that apply) N=200 Note: Multiple responses allowed 4% 18% 20% 20% 21% 22% 30% 31% 38% 50% 0% 10% 20% 30% 40% 50% 60% Other Lack of central reporting and remediation controls Difficulty seeing into cloud-based applications and processes Insufficient collection of operational & security-related data to detect threats Lack of visibility into the network traffic and logs Inability to link response systems to root out the cause Insufficient training of IT staff to detect, respond and remediate security issues Insufficient user awareness training Shortage of skills Shortage of funding and resources
  13. 13. SOLARWINDS FEDERAL CYBERSECURITY SURVEY SUMMARY REPORT | MARKET CONNECTIONS, INC. | 703.378.2025 © 2017 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. IT SECURITY OBSTACLES, THREATS AND BREACHES 13 • A greater proportion of respondents that indicate their agency’s ability to provide evidence of IT controls as fair/poor indicate significantly more insufficient IT and user training, insufficient data collection and monitoring, and lack of central reporting controls are impediments to detecting and remediating security issues. • A significantly greater proportion of civilian than defense respondents indicate inability to link response systems to root out the cause is an impediment to detecting and remediating issues. Impediments Differences Which of the following are the greatest impediments to detection and remediation of security issues at your agency? (select all that apply) N=200 Note: Multiple responses allowed = statistically significant difference By Agency’s Ability to Provide Managers with Evidence of IT Controls Excellent Good Fair/Poor Insufficient training of IT staff to detect, respond and remediate security issues 26% 26% 43% Insufficient user awareness training 24% 29% 45% Insufficient collection or monitoring of operational and security-related data to correlate events and detect threats 22% 14% 33% Lack of central reporting and remediation controls 13% 14% 36% By Agency Type Defense Civilian Inability to link response systems to root out the cause 15% 27%
  14. 14. SOLARWINDS FEDERAL CYBERSECURITY SURVEY SUMMARY REPORT | MARKET CONNECTIONS, INC. | 703.378.2025 © 2017 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. RISK MANAGEMENT 14 • Respondents most often indicate tools to monitor and report risk and IT modernization have contributed to successfully managing risk. Still, one third note IT modernization has posed more of a challenge. Managing Risk How have the items below challenged or contributed to your agency’s ability to manage risk as part of its overall security posture in the past 12 months? 46% 43% 38% 34% 20% 34% 26% 22% 30% 19% 28% 34% 3% 5% 8% 10% Tools to monitor and report risk IT modernization Network optimization Data center optimization DK/NA Had no effect Posed more of a challenge Contributed to success N=200
  15. 15. SOLARWINDS FEDERAL CYBERSECURITY SURVEY SUMMARY REPORT | MARKET CONNECTIONS, INC. | 703.378.2025 © 2017 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. RISK MANAGEMENT 15 • Significantly more defense than civilian respondents indicate IT modernization contributed to successfully managing risk. • A significantly greater proportion of respondents that rate their agency’s ability to provide evidence of IT controls as excellent note IT modernization, tools to monitor and report risk, network optimization, and data center optimization have contributed to success. Managing Risk – Differences How have the items below challenged or contributed to your agency’s ability to manage risk as part of its overall security posture in the past 12 months? Contributed to Success By Agency’s Ability to Provide Managers with Evidence of IT Controls Excellent Good Fair/Poor IT modernization 61% 37% 36% Tools to monitor and report risk 57% 40% 45% Network optimization 54% 30% 38% Data center optimization 48% 32% 24% = statistically significant difference Contributed to Success By Agency Type Defense Civilian IT modernization 51% 37% N=200
  16. 16. SOLARWINDS FEDERAL CYBERSECURITY SURVEY SUMMARY REPORT | MARKET CONNECTIONS, INC. | 703.378.2025 © 2017 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. RISK MANAGEMENT 16 • Most respondents are split between cloud computing posing more of a challenge or having no effect. Respondents most often indicate Internet of Things had no effect, followed by posed more of a challenge. • A significantly greater proportion of respondents that rate their agency’s ability to provide evidence of IT controls as fair/poor note cloud computing posed more of a challenge. Managing Risk (Continued) How have the items below challenged or contributed to your agency’s ability to manage risk as part of its overall security posture in the past 12 months? 20% 9% 34% 32% 34% 42% 12% 17% Cloud computing Internet of Things (IoT) DK/NA Had no effect Posed more of a challenge Contributed to success = statistically significant difference Posed More of a Challenge By Agency’s Ability to Provide Managers with Evidence of IT Controls Excellent Good Fair/Poor Cloud computing 26% 32% 48% N=200
  17. 17. SOLARWINDS FEDERAL CYBERSECURITY SURVEY SUMMARY REPORT | MARKET CONNECTIONS, INC. | 703.378.2025 © 2017 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. RISK MANAGEMENT 17 • Over half indicate regulations and mandates posed more of a challenge. • Over half of respondents that indicate regulations contributed to success note Risk Management Framework contributed to their ability to manage risk, while over half that indicate regulations posed more of a challenge note Risk Management Framework posed more of a challenge to managing risk. Managing Risk - Regulations and Mandates How have the items below challenged or contributed to your agency’s ability to manage risk as part of its overall security posture in the past 12 months? What specific regulations and mandates have contributed/posed more of a challenge to your agency’s ability to manage risk as part of its overall security posture in the past 12 months? 24% 52% 20% 4% Regulations and Mandates DK/NA Had no effect Posed more of a challenge Contributed to success Contributed to Success (n=47) Posed More of a Challenge (n=104) Risk Management Framework 53% 51% NIST Framework for Improving Critical Infrastructure Cybersecurity 51% 38% FISMA 47% 31% DISA STIGs 38% 23% NIST Publications 30% 28% HIPAA 23% 26% PCI 13% 8% Other 4% 4% N=200 Note: Multiple responses allowed
  18. 18. SOLARWINDS FEDERAL CYBERSECURITY SURVEY SUMMARY REPORT | MARKET CONNECTIONS, INC. | 703.378.2025 © 2017 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. RISK MANAGEMENT 18 • Respondents most often indicate their organization can detect rogue devices on the network within minutes. Security Event Detection Speed How long does it typically take your organization to detect and/or analyze the following security events? N=200 4% 4% 14% 6% 5% 7% 6% 7% 4% 2% 2% 3% 3% 1% 4% 2% 2% 3% 14% 4% 3% 9% 6% 7% 8% 4% 6% 33% 27% 22% 20% 19% 16% 20% 12% 18% 30% 44% 36% 31% 36% 28% 25% 34% 25% 17% 18% 23% 30% 32% 38% 40% 42% 44% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Patches not up to date Phishing attacks Cross site scripting attacks Unauthorized configuration changes Presence of malware or ransomware Misuse/abuse of credentials Inappropriate internet access by insiders Distributed denial of device attacks Rogue devices on the network Don't know/unsure No ability to detect Within a few weeks Within a few days Within one day Within minutes
  19. 19. SOLARWINDS FEDERAL CYBERSECURITY SURVEY SUMMARY REPORT | MARKET CONNECTIONS, INC. | 703.378.2025 © 2017 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. RISK MANAGEMENT 19 • Respondents that indicate their agency’s ability to provide evidence of IT controls as excellent or good are significantly more able than respondents who rate their agency’s ability as fair/poor to detect most security threats within minutes. Security Event Detection Speed Differences How long does it typically take your organization to detect and/or analyze the following security events? N=200 Within Minutes By Agency’s Ability to Provide Managers with Evidence of IT Controls Excellent Good Fair/Poor Rogue devices on the network 59% 43% 29% Inappropriate internet access by insiders 59% 39% 14% Distributed denial of device attacks 52% 43% 24% Misuse/abuse of credentials 50% 42% 14% Presence of malware or ransomware 44% 32% 19% Unauthorized configuration changes 44% 32% 7% Cross site scripting attacks 39% 20% 10% Patches not up to date 31% 14% 5% Phishing attacks 30% 17% 5% = statistically significant difference
  20. 20. SOLARWINDS FEDERAL CYBERSECURITY SURVEY SUMMARY REPORT | MARKET CONNECTIONS, INC. | 703.378.2025 © 2017 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. RISK MANAGEMENT 20 • Those who indicate their IT security practices are more robust than the commercial sector are significantly more able to detect rogue devices, distributed denial of device attacks, inappropriate internet access by insiders, and unauthorized configuration changes within minutes. • A significantly greater proportion of defense than civilian respondents indicate their organization can detect misuse of credentials within minutes. Security Event Detection Speed Differences How long does it typically take your organization to detect and/or analyze the following security events? N=200 = statistically significant difference Within Minutes By Agency's IT Security Practices Relative to the Commercial Sector More Robust On Par Not as Robust Rogue devices on the network 62% 38% 28% Distributed denial of device attacks 52% 36% 36% Inappropriate internet access by insiders 49% 39% 23% Unauthorized configuration changes 45% 25% 15% Within Minutes By Agency Type Defense Civilian Misuse/Abuse of credentials 48% 32%
  21. 21. SOLARWINDS FEDERAL CYBERSECURITY SURVEY SUMMARY REPORT | MARKET CONNECTIONS, INC. | 703.378.2025 © 2017 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. 6% 4% 4% 4% 4% 6% 3% 7% 12% 12% 46% 44% 45% 45% 48% 42% 50% 44% 38% 34% IDENTIFY PROTECT DETECT RESPOND RECOVER Mature Somewhat mature Not at all mature DK COMPLIANCE AND MANDATE SENTIMENTS 21 • The majority of respondents describe their agency at least somewhat mature for all five areas of the NIST Framework for Improving Critical Infrastructure Cybersecurity. The weakest areas are RESPOND and RECOVER with 12% noting they are not at all mature. NIST Framework Maturity How would you describe your agency’s maturity of each of the five areas of the NIST Framework for Improving Critical Infrastructure Cybersecurity? N=200
  22. 22. SOLARWINDS FEDERAL CYBERSECURITY SURVEY SUMMARY REPORT | MARKET CONNECTIONS, INC. | 703.378.2025 © 2017 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. COMPLIANCE AND MANDATE SENTIMENTS 22 • A significantly greater proportion of respondents that indicate their IT security practices are at least on par with the commercial sector, respondents that indicate their agency’s ability to provide evidence of IT controls as excellent, and respondents prepared to manage IoT devices describe their agency’s maturity in each of the five areas of the NIST Framework for Improving Critical Infrastructure Cybersecurity as mature. NIST Framework Maturity How would you describe your agency’s maturity of each of the five areas of the NIST Framework for Improving Critical Infrastructure Cybersecurity? = statistically significant difference Mature By Agency’s Ability to Provide Managers with Evidence of IT Controls Excellent Good Fair/Poor Identify 67% 35% 31% Protect 67% 45% 38% Detect 65% 38% 36% Respond 59% 36% 19% Recover 61% 30% 12% Mature By Agency's IT Security Practices Relative to the Commercial Sector More Robust On Par Not as Robust Identify 65% 36% 18% Protect 70% 47% 21% Detect 71% 39% 10% Respond 52% 37% 18% Recover 51% 32% 13% Mature By Preparedness to Discover, Manage and Secure Internet of Things (IoT) Devices Completely Prepared/Some Enhancements Required Major Upgrades of Security Controls Needed/Totally Unprepared Identify 47% 32% Protect 57% 30% Detect 54% 21% Respond 46% 19% Recover 43% 12% N=200
  23. 23. SOLARWINDS FEDERAL CYBERSECURITY SURVEY SUMMARY REPORT | MARKET CONNECTIONS, INC. | 703.378.2025 © 2017 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. COMPLIANCE AND MANDATE SENTIMENTS 23 • Over half of respondents agree the NIST Cybersecurity Framework has been successful in promoting a dialog about managing risk. Opinions are split as to whether federal IT professionals fully understand the Framework. NIST Framework To what extent do you agree or disagree with the following statements regarding IT security? 10% 6% 25% 10% 27% 30% 33% 44% 6% 11% 0% 20% 40% 60% 80% 100% Federal IT professionals fully understand the NIST Cybersecurity Framework Since its introduction in 2014 the NIST Cybersecurity Framework has been successful in promoting a dialogue about managing risk Strongly disagree Somewhat disagree Neither agree or disagree Somewhat agree Strongly agree % Strongly/ Somewhat Agree 55% 38% N=200
  24. 24. SOLARWINDS FEDERAL CYBERSECURITY SURVEY SUMMARY REPORT | MARKET CONNECTIONS, INC. | 703.378.2025 © 2017 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. 4% 4% 2% 9% 10% 8% 30% 28% 15% 45% 41% 48% 12% 18% 26% 0% 20% 40% 60% 80% 100% My agency’s ability to pass OMB, CCRI and other audits has improved Compliance has helped my agency improve its cybersecurity capabilities Regarding IT security, federal agencies are more proactive than they were 5 years ago Strongly disagree Somewhat disagree Neither agree or disagree Somewhat agree Strongly agree COMPLIANCE AND MANDATE SENTIMENTS 24 • Three quarters agree federal agencies are more proactive regarding IT security than they were five years ago. Security Improvement To what extent do you agree or disagree with the following statements regarding IT security? % Strongly/ Somewhat Agree 75% 60% 56% N=200
  25. 25. SOLARWINDS FEDERAL CYBERSECURITY SURVEY SUMMARY REPORT | MARKET CONNECTIONS, INC. | 703.378.2025 © 2017 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. COMPLIANCE AND MANDATE SENTIMENTS 25 • Seven in ten agree that being compliant does not necessarily mean being secure. Compliance and Risk Management To what extent do you agree or disagree with the following statements regarding IT security? 4% 2% 4% 18% 14% 8% 24% 26% 18% 43% 46% 32% 10% 13% 39% 0% 20% 40% 60% 80% 100% Security regulations and mandates lead to complacency since tasks are performed to ‘check a box’ Risk management is too often treated as a compliance issue at my agency Being compliant does not necessarily mean being secure Strongly disagree Somewhat disagree Neither agree or disagree Somewhat agree Strongly agree % Strongly/ Somewhat Agree 70% 58% 54% N=200
  26. 26. SOLARWINDS FEDERAL CYBERSECURITY SURVEY SUMMARY REPORT | MARKET CONNECTIONS, INC. | 703.378.2025 © 2017 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. COMPLIANCE AND MANDATE SENTIMENTS 26 • Over two thirds agree implementation of relevant standards is critical to achieve their cybersecurity targets. Success Factors To what extent do you agree or disagree with the following statements regarding IT security? 4% 3% 8% 4% 26% 26% 44% 40% 18% 28% 0% 20% 40% 60% 80% 100% Agencies that merge and balance both risk management and compliance are more likely to avoid IT security issues Implementation of relevant standards is critical to achieve our cybersecurity targets Strongly disagree Somewhat disagree Neither agree or disagree Somewhat agree Strongly agree % Strongly/ Somewhat Agree 68% 62% N=200
  27. 27. SOLARWINDS FEDERAL CYBERSECURITY SURVEY SUMMARY REPORT | MARKET CONNECTIONS, INC. | 703.378.2025 © 2017 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. COMPLIANCE AND MANDATE SENTIMENTS 27 • A significantly greater proportion of civilian than defense respondents agree federal IT professionals fully understand the NIST Cybersecurity Framework. • A greater proportion of respondents that indicate their agency’s ability to provide evidence of IT controls as excellent or good and respondents that are prepared to manage IoT devices agree their agency’s ability to pass OMB, CCRI and other audits has improved. Sentiment Differences To what extent do you agree or disagree with the following statements regarding IT security? = statistically significant difference % Strongly /Somewhat Agree By Agency Type Defense Civilian Federal IT professionals fully understand the NIST Cybersecurity Framework 28% 46% % Strongly /Somewhat Agree By Agency’s Ability to Provide Managers with Evidence of IT Controls Excellent Good Fair/Poor My agency’s ability to pass OMB, CCRI and other audits has improved 63% 63% 31% % Strongly /Somewhat Agree By Preparedness to Discover, Manage and Secure Internet of Things (IoT) Devices Completely Prepared/Some Enhancements Required Major Upgrades of Security Controls Needed/Totally Unprepared My agency’s ability to pass OMB, CCRI and other audits has improved 62% 42% N=200
  28. 28. SOLARWINDS FEDERAL CYBERSECURITY SURVEY SUMMARY REPORT | MARKET CONNECTIONS, INC. | 703.378.2025 © 2017 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. NETWORK MODERNIZATION 28 • Two thirds think federal agencies’ efforts regarding network modernization has resulted in an increase in IT security challenges. Network Modernization Do you think federal agencies’ efforts regarding network modernization have resulted in an increase or decrease in the IT security challenges faced? N=200 66% 13% 20% Increase Decrease No effect
  29. 29. SOLARWINDS FEDERAL CYBERSECURITY SURVEY SUMMARY REPORT | MARKET CONNECTIONS, INC. | 703.378.2025 © 2017 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. NETWORK MODERNIZATION 29 • Half of the respondents that believe IT security challenges have increased as a result of network modernization indicate it is due to more vulnerabilities in new technology stacks, the burden of supporting new and legacy systems and lack of training on new technologies. Increased Security Challenges What are the reasons you believe IT security challenges have increased as a result of network modernization? (select all that apply) N=133 Note: Multiple responses allowed 3% 39% 42% 50% 51% 53% 0% 10% 20% 30% 40% 50% 60% Other New technologies are not deployed correctly New technologies are not fully deployed Lack of training on new technologies Burden of supporting new technologies and legacy systems More vulnerabilities in new technology stacks
  30. 30. SOLARWINDS FEDERAL CYBERSECURITY SURVEY SUMMARY REPORT | MARKET CONNECTIONS, INC. | 703.378.2025 © 2017 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. What are the reasons you believe IT security challenges have decreased as a result of network modernization? (select all that apply) NETWORK MODERNIZATION 30 • Most respondents that believe IT security challenges have decreased as a result of network modernization believe it is due to better tools for automated protection and remediation. Decreased Security Challenges N=26 Note: Multiple responses allowed 0% 19% 31% 54% 65% 85% 0% 20% 40% 60% 80% 100% Other Fewer systems to maintain Newer technologies contain smaller attack surfaces Less legacy equipment to maintain Stronger built-in security features of new equipment Better tools for automated protection and remediation
  31. 31. SOLARWINDS FEDERAL CYBERSECURITY SURVEY SUMMARY REPORT | MARKET CONNECTIONS, INC. | 703.378.2025 © 2017 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. NETWORK MODERNIZATION 31 • Lack of funding is the top factor that respondents indicate hinders their agency’s ability to advance its network modernization efforts. One half also noted the federal procurement process as hindrance. Obstacles of Network Modernization What are the top three factors that hinder your agency’s ability to advance its network modernization efforts? (select three) N=200 Note: Multiple responses allowed 2% 20% 24% 31% 34% 38% 50% 55% 0% 10% 20% 30% 40% 50% 60% Other Unrealistic goals and timelines Lack of top management commitment Increasing network complexity Lack of skilled staff Conflicting priorities Complex and long federal procurement process Lack of funding
  32. 32. SOLARWINDS FEDERAL CYBERSECURITY SURVEY SUMMARY REPORT | MARKET CONNECTIONS, INC. | 703.378.2025 © 2017 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. TOOLS AND PRACTICES 32 • Over two thirds indicate the effectiveness is high for Smart Card/CAC to foster network and application security. Security Product Effectiveness The following are tools and practices that foster network and application security. Please indicate the effectiveness for each. 8% 6% 8% 2% 4% 4% 4% 3% 2% 3% 14% 7% 9% 11% 8% 8% 7% 6% 4% 4% 48% 51% 48% 49% 47% 44% 44% 44% 38% 26% 32% 36% 36% 38% 42% 45% 46% 48% 56% 68% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Messaging security software SIEM software File integrity monitoring software Web application security tools Configuration management software Patch management software Network admission control (NAC) solutions Endpoint security software Identity and access management tools Smart Card / Common Access Card Don't use Low Moderate High N=200
  33. 33. SOLARWINDS FEDERAL CYBERSECURITY SURVEY SUMMARY REPORT | MARKET CONNECTIONS, INC. | 703.378.2025 © 2017 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. TOOLS AND PRACTICES 33 • A significantly greater proportion of respondents that indicate their agency’s ability to provide evidence of IT controls is excellent indicate most tools are high in effectiveness in fostering network and application security. • A significantly greater proportion of defense respondents indicate Smart Cards are effective, while significantly more civilian respondents indicate endpoint security, patch management, and messaging security software are highly effective. Security Product Effectiveness Differences The following are tools and practices that foster network and application security. For each, please indicate the effectiveness for each. High By Agency’s Ability to Provide Managers with Evidence of IT Controls Excellent Good Fair/Poor Endpoint security software 61% 44% 38% Network admission control (NAC) solutions 61% 40% 38% Configuration management software 57% 41% 21% Web application security tools 56% 30% 33% Patch management software 54% 46% 31% File integrity monitoring software 52% 38% 10% SIEM software 52% 35% 21% Messaging security software 46% 28% 21% = statistically significant difference High By Agency Type Defense Civilian Smart Card / Common access card for authentication 76% 61% Endpoint security software 36% 56% Patch management software 30% 56% Messaging security software 20% 40% N=200
  34. 34. SOLARWINDS FEDERAL CYBERSECURITY SURVEY SUMMARY REPORT | MARKET CONNECTIONS, INC. | 703.378.2025 © 2017 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. INTERNET OF THINGS 34 • The majority of respondents indicate some enhancements are required to discover, manage and secure Internet of Things (IoT) devices. • A greater proportion of respondents that indicate their agency’s ability to provide evidence of IT controls as excellent and those who indicate their IT security practices are more robust than the commercial sector are completely prepared. Agency Assessment – Prepared for IoT Given the current state of your agency’s overall security controls, how would you rate your preparedness to discover, manage and secure Internet of Things (IoT) devices? N=200 5% 24% 60% 12% Totally unprepared Major upgrades of security controls needed Some enhancements required Completely prepared 0% 10% 20% 30% 40% 50% 60% 70% By Agency's IT Security Practices Relative to the Commercial Sector More Robust On Par Not as Robust Completely prepared 23% 8% 3% Some enhancements required 61% 65% 44% Major upgrades needed 14% 22% 44% By Agency’s Ability to Provide Managers with Evidence of IT Controls Excellent Good Fair/Poor Completely prepared 30% 7% 2% Some enhancements required 52% 68% 48% Major upgrades needed 15% 24% 33% = statistically significant difference
  35. 35. SOLARWINDS FEDERAL CYBERSECURITY SURVEY SUMMARY REPORT | MARKET CONNECTIONS, INC. | 703.378.2025 © 2017 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. INTERNET OF THINGS 35 • Increased attack surface is noted most often as the greatest security challenge that agencies will face as the Internet of Things (IoT) evolves. IoT Security Challenges What are the three greatest security challenges and concerns that agencies will face as the Internet of Things (IoT) evolves? (select three) N=200 Note: Multiple responses allowed 2% 22% 22% 26% 33% 35% 36% 36% 38% 0% 5% 10% 15% 20% 25% 30% 35% 40% Other Collection of IoT device data by third parties Inability to detect and inventory IoT devices Lack of updates of IoT devices Out of date software/firmware running on IoT devices Potential data privacy issues Lack of IT staff knowledgeable of IoT Inconsistency of the security on connected devices Increased attack surface
  36. 36. SOLARWINDS FEDERAL CYBERSECURITY SURVEY SUMMARY REPORT | MARKET CONNECTIONS, INC. | 703.378.2025 © 2017 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. SECURITY COMPARISON TO COMMERCIAL SECTOR 36 • Nearly half feel their agency’s security practices and protocols are on par with the commercial sector. Security Comparison to Commercial Sector In general, how would you compare your agency’s IT security practices and protocols relative to those in the commercial sector? My agency’s security practices and protocols are: N=200 34% 46% 20% More robust than the commercial sector On par with the commercial sector Not as robust as the commercial sector 0% 10% 20% 30% 40% 50% My agency’s security practices and protocols are… = statistically significant difference By Agency’s Ability to Provide Managers with Evidence of IT Controls Excellent Good Fair/Poor More robust than the commercial sector 52% 33% 17% By Agency Type Defense Civilian More robust than the commercial sector 45% 26% By Preparedness to Discover, Manage and Secure Internet of Things (IoT) Devices Completely Prepared/Some Enhancements Required Major Upgrades of Security Controls Needed/Totally Unprepared More robust than the commercial sector 41% 19% • Defense respondents, those who rate their agency’s ability to provide evidence of IT controls as excellent, and those that are prepared to manage IoT devices indicate significantly more that their agency’s security practices are more robust than the commercial sector.
  37. 37. SOLARWINDS FEDERAL CYBERSECURITY SURVEY SUMMARY REPORT | MARKET CONNECTIONS, INC. | 703.378.2025 © 2017 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. Select Comments COMMENTS 37 Please feel free to share any other comments or concerns regarding your agency’s IT security challenges and success stories. (open end) Hard to hire skilled people in a timely fashion, huge gaps in knowledge. [CIVILIAN] Despite all the outside threats, our worst security problems have come from insider issues - some of it malfeasance, some of it ignorance, some of it laziness. This despite non-stop documented training in all these area. [DEFENSE] Conflicting compliance and procurement regulations. [DEFENSE] A big problem for us is a desire on the part of many to integrate our software system with contractors that serve us. Not a bad idea except we literally have 50,000 different contractors we deal with on a daily basis. This may be possible for some of the largest contractors but not all. [DEFENSE] Poor BYOD policies have led to more challenges. [DEFENSE] Our equipment is shamefully outdated. [CIVILIAN] Complexity of regulatory framework adds to challenges. [DEFENSE] “
  38. 38. SOLARWINDS FEDERAL CYBERSECURITY SURVEY SUMMARY REPORT | MARKET CONNECTIONS, INC. | 703.378.2025 © 2017 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. KEY TAKEAWAYS 38 Key Takeaways • Overall, the majority of agency decision makers rate themselves highly for evidence of appropriate IT controls and believe they are on par with or more robust than the commercial sector in terms of IT security practices and tools. Three quarters believe federal agencies are more proactive regarding IT security than five years ago. • Budget constraints continue to be an obstacle to improving IT security at their agencies as well as impeding the detection and remediation of security issues. Lack of funding is also hindering agencies’ ability to advance its network modernization efforts. • Careless/untrained insiders, foreign governments and the general hacking community continue to be the top sources of IT security threats similar to the past three years. SPAM and Malware are noted as increasing in the last 12 months. • Though the majority agree that compliance has helped their agency improve its cybersecurity capabilities, seven in ten believe that being compliant does not necessarily mean being secure. Over half believe that security regulations and mandates can lead to complacency since tasks are performed to ‘check a box’.
  39. 39. SOLARWINDS FEDERAL CYBERSECURITY SURVEY SUMMARY REPORT | MARKET CONNECTIONS, INC. | 703.378.2025 © 2017 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. KEY TAKEAWAYS 39 Key Takeaways • The majority believe that NIST’s Cybersecurity Framework has been successful in promoting a dialogue about managing risk and more than eight in ten indicate their agencies are at least somewhat mature in each of the five areas of the Framework. Still over a third agree that federal IT professionals don’t fully understand the Framework. • Two-thirds think that federal agencies’ effort regarding network modernization has resulted in an increase of IT security challenges. Respondents cite more vulnerabilities in new technology stacks, the burden of supporting new and legacy systems and lack of training on new technologies as reasons for the increased challenges. • Few feel their agencies are completely prepared to discover, manage and secure the Internet of Things. The majority believe that at least some enhancements are required. IoT brings a number of security challenges, most notably an increased attack surface, inconsistency of security in connected devices and the lack of knowledgeable IT staff. • Smart Cards and identify access management tools are rated most often as highly effective tools that foster network and application security.
  40. 40. SOLARWINDS FEDERAL CYBERSECURITY SURVEY SUMMARY REPORT | MARKET CONNECTIONS, INC. | 703.378.2025 © 2017 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. RESEARCH TO INFORM STRATEGIC DECISION-MAKING 40 Contact Information Laurie Morrow, VP, Research Strategy | Market Connections, Inc. 11350 Random Hills Road, Suite 800 | Fairfax, VA 22033 | 703.378.2025 LaurieM@marketconnectionsinc.com Lisa M. Sherwin Wulf, Director of Marketing - Federal & National Government| SolarWinds 703.386.2628 Lisa.SherwinWulf@solarwinds.com www.solarwinds.com/federal LinkedIn: SolarWinds Government

×