A new survey of public-sector organizations found that budget constraints and the complexity of IT environments continue to hamper cybersecurity efforts, especially in the federal government.
According to a survey done by SolarWinds, an IT management company, 24 percent of federal respondents said that budgetary constraints limited entities’ ability to improve IT security, while 21 percent cited complex internal systems.
“Led only by budget constraints, complexity of internal environments is one of the most significant high-level obstacles to maintaining or improving IT security, and respondents indicated it’s keeping them from easily segmenting users and adopting a zero-trust approach,” said Brandon Shopp, vice president for product strategy at SolarWinds.
Those two numbers are continuing to change year-over-year. Budgetary constraints are decreasing, dropping from 40 percent in the 2018 survey to 24 percent last year.
Network complexity results remained at 21 percent like last year, but that number was 14 percent in 2014, when the survey started.
The survey included 200 federal IT operations and security leaders, 100 state and local, and 100 education leaders.
Across all respondents, 52 percent said that “careless and untrained” insiders were the top threat to cybersecurity.
“Security is everyone’s job, but holding the team accountable is lacking. Until there are real individual accountability regimens in place, the network will remain at risk,” one federal civilian division chief told SolarWinds.
Less than half of respondents expressed confidence in their team’s ability to keep up with emerging threats, even if their security operations center is outsourced. According to results, 86 percent of respondents rely on in-house staff as the main security team, but only 41 percent felt “very confident” that their team could maintain the right skills.
Fifty-seven percent of respondents told SolarWinds that their organizations were most mature in end-point security and continuity of operations. Fifth-six percent also said their organizations were most mature in identity and access management.
“However, there was not a single cybersecurity capability for which more than 57 percent of respondents claimed to be organizationally mature,” according to the SolarWinds news release.
Sixty-one percent of public sector organizations segment users by risk level, but struggle to do so because of the growing number of devices and number of users that need access to the networks. Around one-third of respondents said their organization had established a zero-trust strategy, while another one-third don’t have a formal strategy established but are “modeling their approach based on zero trust.”
“These results clearly demonstrate the degree to which most public-sector organizations are struggling to manage cyber risk,” said Tim Brown, vice president of security for SolarWinds. “While it’s heartening to see that almost two-thirds of respondents are formally segmenting users — a helpful step in managing risk — the data finds careless and untrained users to still be the weakest link.”
Andrew Eversden covers all things defense technology for C4ISRNET. He previously reported on federal IT and cybersecurity for Federal Times and Fifth Domain, and worked as a congressional reporting fellow for the Texas Tribune. He was also a Washington intern for the Durango Herald. Andrew is a graduate of American University.