A survey of more than 1,800 federal employees showed little confidence in the government's ability to translate cybersecurity investments into real results, according to a report by the International Information Systems Security Certification Consortium — or (ISC)2 — released May 14.
The majority of those polled said the government's security posture is better (27 percent) or the same (47 percent) today than a year ago, though both numbers dropped slightly compared to responses from 2013. Seventeen percent said information security is worse off, up from 12 percent in 2013.
"The U.S. government has spent a lot of time, money and effort on policies, programs and tools designed to improve its security posture but thus far there has been little return on that investment," the report notes.
Download: 2015 (ISC)2 Information Security Workforce Study
Dan Waddell, (ISC)2 director of government affairs for the national capital region, sees the lack of progress as a step backward.
"While the task at hand is indeed overwhelming given the complexity of threats and the government's limited resources, when we consider the amount of effort dedicated over the past two years to furthering the security readiness of federal systems and the nation's overall security posture, our hope was to see an obvious step forward," he said. "The data shows that, in fact, we have taken a step back."
Despite funding from DHS to help agencies jump start their Continuous Diagnostics and Mitigation programs, adequate funding (25 percent) was the least cited reason for improvement in security. Improved security awareness (76 percent) and better understanding of risk management (58 percent) were cited most often by respondents.
More: CDM rollout to accelerate through 2015
Conversely, inadequate funding (71 percent) and poor understanding of risk management (73 percent) were among the top reasons security is lagging, with an inability to keep up with the growing threat landscape (80 percent) topping the list.
Homeland Security and the Office of Management and Budget have instituted a number of cybersecurity programs in recent years but agency employees aren't always seeing the results of these initiatives.
More than two-thirds of respondents listed the National Institute of Standards and Technology's risk management framework documents as the most useful federal initiatives, while FedRAMP (34 percent) and the CyberStat review process (13 percent) were lowest on the list.
More: 'FedRAMP Forward' plans next two years of cloud authorization
For context, 64 percent said they weren't sure whether FedRAMP had any effect on the security of their agency's cloud services, with 18 percent saying it had and 18 percent saying it hadn't.
"Overall, the federal government must invest more to improve cybersecurity, but it needs to find better ways to ensure that those investments will provide adequate returns," Waddell said. "Given the significant demand for skilled professionals, training and education are areas of investment that can lead to significantly higher returns and help to both attract and retain cybersecurity professionals."
Aaron Boyd is an awarding-winning journalist currently serving as editor of Federal Times — a Washington, D.C. institution covering federal workforce and contracting for more than 50 years — and Fifth Domain — a news and information hub focused on cybersecurity and cyberwar from a civilian, military and international perspective.
