Why is this the case and what are government agencies doing about it? In a 2009 ESG Research survey, 47% of security professionals working at enterprise-class organizations (i.e. those with 1,000 employees or more) said that their organization was vulnerable to a confidential data breach as a result of “a lost or stolen IT asset.” Looking at this data on an industry-by-industry basis, the government sector stood out. Sixty-six percent of security professionals working at government organizations said that their organization was vulnerable to a confidential data breach as a result of “a lost or stolen IT asset” — this is significantly higher than the general population. This begs the question: Why is the government sector so much more vulnerable here? Based on additional ESG data, I believe that this distinction may be the result of issues like:1. Bureaucracy: When the CEO mandates that all laptops are encrypted, CIOs and purchasing managers jump. Not so in the government sector. For example, the Federal Office of Management and Budget released a memo to the heads of executive departments and agencies (M-07-16) in May 2007 calling for agencies to use, “encryption . . .and other security controls to make information unusable by unauthorized individuals.” In spite of this memo, and a SmartBuy program to make it easy for agencies to acquire full-disk encryption technology (SafeBuy, Data at Rest Tiger Team (DARTT), a large number of Federal government laptops remain unencrypted (author’s note: The last report I read a few months ago mentioned 40% of Federal laptop remain unencrypted but I couldn’t find any more recent data). It certainly seems like government procurement and IT processes are creating a bottleneck.2. Training. Sixty-eight percent of government organizations believe that “communicating and training employees on confidential data security policies,” is most important when it comes to confidential data security, yet more than one-third of respondents said that their government organization is either “fair” or “poor” in this area. Untrained employees can’t be blamed for violating policy.Clearly government organizations must improve in these areas. Let’s hope that FISMA 2.0 and the cybersecurity coordinator expedite a solution here. Related content analysis 5 things security pros want from XDR platforms New research shows that while extended detection and response (XDR) remains a nebulous topic, security pros know what they want from an XDR platform. By Jon Oltsik Jul 07, 2022 3 mins Intrusion Detection Software Incident Response opinion Bye-bye best-of-breed? ESG research finds that organizations are increasingly integrating security technologies and purchasing multi-product security platforms, changing the industry in the process. By Jon Oltsik Jun 14, 2022 4 mins Security Software opinion SOC modernization: 8 key considerations Organizations need SOC transformation for security efficacy and operational efficiency. Technology vendors should come to this year’s RSA Conference with clear messages and plans, not industry hyperbole. By Jon Oltsik Apr 27, 2022 6 mins RSA Conference Security Operations Center opinion 5 ways to improve security hygiene and posture management Security professionals suggest continuous controls validation, process automation, and integrating security and IT technologies. By Jon Oltsik Apr 05, 2022 4 mins Security Practices Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe