Around 20% of federal CIOs view cybersecurity as their top concern, followed by controlling costs (15%), human capital (12%), central agency policy (10%), mobility (7%), and other responses (37%). Items in the “other” group included growth in demand or requirements, shared services, politics, analytics, investment management, specific technologies, change management, and leadership, according to the survey.
For the survey, representatives from TechAmerica interviewed CIOs and other IT officials at 35 federal departments, agencies, major programs, and congressional oversight groups.
“A lot of the cybersecurity concerns are internal”, noted George DelPrete, partner at Grant Thornton and chair of the TechAmerica CIO survey group. “A lot of the resources are focused on protecting the perimeter to keep out the bad guys, whereas a lot of the challenges are internal control issues”, he told Infosecurity.
For example, access issues are a major concern for CIOs, such as people leaving an organization and their password not being deprovisioned, DelPrete explained.
“Better training and continuous monitoring were a couple of things that were cited to address that problem”, he added.
Federal CIOs are struggling to find the right balance between security and operational use. “Cybersecurity folks and the user community often have differing views of the world. Users want things to be easy to get to, and cybersecurity folks want things to be secure. Those objectives are not often in alignment. CIOs need to find that right paradigm so they can balance those things”, DelPrete said.
While internal threats are a top concern, external threats have not gone away, particularly with the rise in hacktivism and spear phishing attacks. “External threats are coming from many more angles”, he noted.
Federal CIOs also expressed the view that cybersecurity issues needed to be solved with a government-wide approach, rather than an agency-by-agency approach.
In particular, a number of respondents supported the shift of Federal Information Security Management Agency (FISMA) responsibility from the Office of Management and Budget to the Department of Homeland Security or the Department of Defense, agencies that have more experience with operational aspects of cybersecurity, DelPrete observed.
In addition, the CIOs wanted FISMA to be overhauled, moving it away from being a compliance checklist to a continuous monitoring approach. “It is a cumbersome paper exercise for a lot of the agencies”, he said.
Federal CIOs also said they need more funding for cybersecurity, and that money should be earmarked specifically for cybersecurity research and development.
Security concerns pose barriers to other IT management goals that CIOs want to achieve, such as data center consolidation, shared services, and cloud adoption. “On the other hand, the quest for cybersecurity often leads to these same initiatives because centralizing IT assets makes it easer to protect them. In this sense, savings and security should go hand in hand”, the report concluded.