State security pros feel budget squeeze

A survey published Monday of chief information security officers (CISO) for almost every state in the union shows that the vast majority feel they don’t have adequate budgets.

Biggest insider threat: Sys admin gone rogue

In addition, most CISOs said that they are slightly more concerned about the insider threat posed by employees and trusted third parties than outside threats, such as malware or someone stealing a laptop, in terms of protecting sensitive data held by state governments.

The cybersecurity survey was conducted by the consultancy Deloitte in tandem with the National Association of State Chief Information Officers (NASCIO) to gauge the views of the CISOs for the states. Only one of the 50 states (not identified) is not included in the responses. 88% of these 49 CISOs working for state government who did respond to the survey said they feel “lack of sufficient funds” is a major barrier to cybersecurity.

In addition, 46% of these state CISOs said their budgets were reduced in the period 2009 to 2010, while 38% said they remained the same. The “2010 Deloitte-NASCIO Cybersecurity Study” notes that “state CISOs substantially lack the funding, programs, resources and tools available to CISOs of comparable private-sector enterprises.” The report also says state CISOs often appear to lack authority to manage risks across multiple agencies and departments.

In comments in the report, Steve Fletcher, NASCIO president and CIO of the state of Utah, said, “Unprecedented budget cuts across state governments and outsourced IT services are creating an environment that is even harder to secure, and the report highlights the growing concerns of CISOs in this regard.”

And when it comes to their main concerns, the insider threat posed by an employee or trusted partner tops the outsider threat in terms of what they worry about the most.

When asked about their “level of confidence in protecting information assets from threats,” the CISOs expressed more worry about “attacks originating internally” than “attacks originating externally.”

When asked about attacks originated internally, 19% said they were “not very confident” and 6% said “not confident at all” in their level of confidence in protecting information technology from threats. In comparison, 4% of CISOs were “not confident at all” and 13% “not very confident” when asked about protecting IT assets against outside threats.

In the last 12 months, 55% of the survey’s respondents said their state had had an “accidental breach of information originating from inside the enterprise.” And 36% said they had a “breach of information originating from inside the enterprise conducted by an employee (e.g., abuse of privileged access, phishing e-mail, etc.)”.

The main external breach can be traced back to “malicious software originating from outside the enterprise (for example viruses/worms/spyware), with 68% saying their state government or agency had experienced that in the past 12 months.

Read more about wide area network in Network World’s Wide Area Network section.