The Mars-and-Mercury problem of cybersecurity

cyber security experience report

Half of all agency cybersecurity breaches are caused by feds who fail to comply with security measures in place at their agencies, according to a Meritalk study released Oct. 15. (Download the report).

The study, which polled 100 government cyber professionals and 100 federal employees, suggests a rift between IT cybersecurity professionals who value security above all else and their systems' end users – the feds who just want to do their jobs.

Titled "The Cyber Security Experience: Cyber Security Pros from Mars; Users from Mercury," the study finds 31 percent of federal employee end-users use some form of security work-around at least weekly, and nearly 20 percent of feds have failed to complete a work assignment because of existing security measures. Feds reported being most frustrated by simple tasks like surfing the web and downloading files, the same two tasks that cybersecurity professionals said most frequently produced security breaches through external attacks like phishing and malware.

The protocols cyber pros find necessary to keep data secure are burdensome, time-consuming and sometimes obstructive to their end users.

"More security rules, more security tasks, and more security delays have done little to drive more user buy-in for cybersecurity," said Tom Ruff, Akamai's vice president for public sector. Akamai underwrote the study.

Despite obvious disagreements on implementation, 95 percent of end users and cyber professionals agreed the deployment of cybersecurity measures is an "absolute necessity" to prevent against data loss, data theft and denial-of-service (DOS) attacks.

According to end-users surveyed, possible strategies to mitigate the bridge between themselves and security professionals include a single sign-on (56 percent), user-friendly interface (27 percent) and streamlined access to mobile applications (13 percent). However, cyber professionals rated "ensuring a user-friendly experience" dead last as a priority, indicating they favor the nuts and bolts of a tool over its looks and ease of use.

"Without question, federal cybersecurity pros have a tough job, but they must start working with end users as partners instead of adversaries," Ruff said. "It is a team game, and better support for users will deliver better results for security."

The news is particularly alarming because the number of cybersecurity threats to federal agencies continues to increase, as does the amount of damage attackers can do. Half the cyber professionals polled say their agency is likely to be a DOS attack victim in the next year – and less than 75 percent of agencies feel "completely prepared" for a variety of potential cyberattacks.

About the Author

Frank Konkel is a former staff writer for FCW.

Nominate Today!

Nominations for the 2018 Federal 100 Awards are now being accepted, and are due by Dec. 23. 


Reader comments

Thu, Oct 17, 2013

Cyber security people will express that one should do a control because of a risk that will be reduced. Unfortunately everyone else looks at it as an activity that will raise overall cost of the current mission and it becomes a convenient target to eliminate. The mission owner chooses to avoid the security cost because they don't want to understand the overall risk to the entire mission. Then an incident happens and the mission becomes unavailable and then later untrusted, and you get zero tolerance project people trying to apply controls after the fact. Security should be applied first to an overall enterprise strategy to be cost efficient. Mission exceptions should come with a time limit and isolated from affecting the other missions.

Thu, Oct 17, 2013 Baby Jesus

All of the blame shouldn't go to the cybersecurity professionals, if more developers would ensure they are producing secure code rather than just making a nice user interface. It would aslo help if developers familiarized themselves with security requirements, and project managers bring security professionals in at the beginning of the project, rather than after development has started. I agree there are some cybersecurity professionals that act as "werewolfs", however all of us are not like that. We don't want to impede progress or be a "stop sign", we just want to ensure the data and system is secure. There are many developers out there that need to learn some professionalism as well. Also, realize those security settings, in the federal workplace, are requirements that the cybersecurity professionals are required to implement, not just settings picked out of the air for fun.

Wed, Oct 16, 2013 earth

There are clearly two problems. The first is that cybersecurity “professionals” tend to exhibit no concern for the ability of others to be able to do their job. They enact literally hundreds of security settings that are individually reasonable but in interaction make work impossible. For one instance, I need to make a application CAC aware and block access without one but I am not allowed to use IIS on my development machine so I can’t test the code to certify it works. One the other hand, I can’t put the application on a machine that actually has IIS set to “require certs” until it is certified to block access otherwise. Another example is that I am required to use the “latest software” that has security bugs fixed but I am not allowed to load the latest software on my machine without permission from some agency far far away and unresponsive at the best of times. Not that I can load the software from any source that isn’t blocked even if I got permission. If they were truly “professionals” they would determine what people need to be able to do their jobs and insure the settings on that persons profile (note the individual profile, not a one size treats friends the same a foes profile) didn’t block their work or make them bypass security to keep from looking ineffective. Developers use an agile process to ensure their efforts support the user and the height of that experience is when the user doesn’t even notice they are using an application (until it dies). (there is such a thing as “Roles” in development and security needs to develop the same responsiveness)
The other problem is that, in my experience, the majority of the cybersecurity “professionals” need to take this response to heart: “but they must start working with end users as partners instead of adversaries," There are two parts here: 1. Working with end users as partners (see above) and 2:instead of adversaries. Many seem to have a personality that is a cross between a werewolf, a puffer fish and God Almighty. I do not need a “user-friendly experience” I need to be able to do my job without fighting security more than I fight the enemy. When one part of the Navy blocks the web sites of other parts of the Navy, they have moved from reasonably effective into blindly paranoid. I am not the enemy, But if you insist on treating me, and everybody else on the earth as the enemy then don't expect me or any one else to treat you as a friend. They need to learn some professionalism.

Wed, Oct 16, 2013

That ..."'ensuring a user-friendly experience' [is] dead last as a priority..." for cybersecurity professionals does not mean that they prefer clunky, inefficient user interfaces. It does mean that they do not endorse sacrificing assurance in order to provide users bells and whistles that frequently are not part of a mission-based requirements set.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group