The majority of federal IT decision makers in the national defense and security department agencies aren't expecting many changes from the newly named cyber-security coordinator.
That's according to a survey of 201 IT pros commissioned by Lumension. The survey, conducted last month by Clarus Research Group, found that more than half "expect only minor policy changes" as a result of the creation of the cyber-security coordinator position. In addition, a full 74 percent view the possibility of a cyber-attack against the United States in the next year by a foreign nation as "high," and 42 percent rated the country's ability to handle such an event as "fair" or "poor."
Thirty-three percent of the respondents working for departments or agencies affecting national security said they experienced an attack by a foreign nation or terrorist group in the last year.
"Unfortunately, when it comes to our infrastructure, we are already under attack and are faced with the reality of a growing and advanced persistent threat from foreign entities that are targeting our critical U.S. infrastructure," said Pat Clawson, CEO of Lumension, in a statement. "The traditional government responses we've seen so far, such as naming a security coordinator, announcing a cyber-security initiative and focusing on compliance initiatives, will not alone successfully address this problem."
Among the other findings in the study:
â¢ 41 percent said they spent less than 10 percent of their time over the past year working on the Comprehensive National Cyber Security Initiative; 62 percent said they spent less than 25 percent of their time on it.
â¢ 49 percent believe that negligent or malicious insiders/employees are the largest IT security risk.
â¢ 26 percent of respondents said they expect the amount of mobile and smartphones in their organizations to increase greatly in the next year, while 23 percent said they expect virtualization to increase greatly.
"We must do three things if we are to truly empower and implement a robust national cyber-security plan," Clawson said. "One - we need to have an empowered cyber security czar, with budget and policy authority, reporting directly to the President. Next - given that 90 percent of our critical infrastructure is owned or managed by private entities, we need a collaborative government and private sector partnership to better understand the risks at hand and to better define IT security standards, practices, and contingency plans in the event of a major attack. And finally - we need to shift from an absolute focus on being compliant with ad-hoc audits for verification, to one of being secure and continuously monitoring our IT environment to ensure that the proper controls are always in effect."