In a 2009 ESG Research survey, 47% of security professionals working at enterprise-class organizations (i.e. those with 1,000 employees or more) said that their organization was vulnerable to a confidential data breach as a result of "a lost or stolen IT asset." Looking at this data on an industry-by-industry basis, the government sector stood out. Sixty-six percent of security professionals working at government organizations said that their organization was vulnerable to a confidential data breach as a result of "a lost or stolen IT asset" -- this is significantly higher than the general population. This begs the question: Why is the government sector so much more vulnerable here? Based on additional ESG data, I believe that this distinction may be the result of issues like:1. Bureaucracy: When the CEO mandates that all laptops are encrypted, CIOs and purchasing managers jump. Not so in the government sector. For example, the Federal Office of Management and Budget released a memo to the heads of executive departments and agencies (M-07-16) in May 2007 calling for agencies to use, "encryption . . .and other security controls to make information unusable by unauthorized individuals." In spite of this memo, and a SmartBuy program to make it easy for agencies to acquire full-disk encryption technology (SafeBuy, Data at Rest Tiger Team (DARTT), a large number of Federal government laptops remain unencrypted (author's note: The last report I read a few months ago mentioned 40% of Federal laptop remain unencrypted but I couldn't find any more recent data). It certainly seems like government procurement and IT processes are creating a bottleneck.2. Training. Sixty-eight percent of government organizations believe that "communicating and training employees on confidential data security policies," is most important when it comes to confidential data security, yet more than one-third of respondents said that their government organization is either "fair" or "poor" in this area. Untrained employees can't be blamed for violating policy.Clearly government organizations must improve in these areas. Let's hope that FISMA 2.0 and the cybersecurity coordinator expedite a solution here.