Security Audits Lead Government Executives to Increase Threat Protection
Failed security audits indicate bigger problems
Roughly one-fifth of the 209 government executives who responded to the 1105 Government Information Group Content Solutions Information Security Survey have recently failed IT security audits. Such audits are conducted both as a matter of ongoing internal COOP procedures, and as mandated by federal regulations, such as FISMA.
IT security audits are conducted to test and ensure an agency’s IT assets are, in fact, protected. Not surprisingly, those respondents who reported failing an IT security audit were also more apt to increase their budgets for IT security protections.
Since agencies undergo both external security audits as well as internal audits, the survey results indicated that nearly 20% of respondents had failed at least one external audit and 22% had failed at least one recent internal security audit. And those respondents who anticipate receiving an IT security budget increase are most apt to have failed one or more security compliance audits.
In total, an average of 14% of annual IT budgets were allocated to IT security threat prevention regulation compliance. On the topic of regulations, the vast majority, 70% of respondents, agreed that their agencies will likely be subject to new regulations that will affect information security efforts and spending. Only 9% disagreed with this statement.
Meanwhile, 67% of respondents agreed that as agency information security demands keep increasing, IT budgets are decreasing. Only 12% disagreed with this statement. In all, it appears that ongoing budgetary restrictions may not be keeping pace with the growing demand for greater IT threat prevention solutions, as well as related regulatory mandates.
In fact, the difficulty involved in achieving a balance between accessibility and security was evident in the survey results. Respondents said that when security procedures are too stringent, agency employees tend to find ‘work-arounds’ to get their jobs done. More than 40% of respondents agreed that employees work around current IT security policies to get their jobs done. At the same time, however, another 38% said this doesn’t happen.
Separately, on the topic of rules in general, and whether agency personnel are following all IT security policies, nearly an equal number of respondents, just under 40%, either agreed or disagreed that their organizations follow security policies (or don’t.) And a full quarter of respondents to this question remained neutral or unsure about how to answer this question. This level of diametrically opposing opinions further indicates the challenges that surround achieving a proper balance between policies to protect agency resources, while still providing agency users with access to information and resources.
Meanwhile, it appears that most government executives who responded to the survey remain confident that current agency threat prevention policies keep the agency secure. Just under 60% of respondents expressed confidence in current security policies, while just about 20% disagreed, denoting a lack of confidence in security policies. Diving deeper, the survey results indicated that state and local government respondents were less confident about agency threat prevention policies than their federal government counterparts.