A new report from security and compliance firm Tripwire reveals that security professionals are receptive to increased regulation by the federal government in the interest of improving overall organizational cyber defenses.
Specifically, security professionals broadly support the National Institute of Standards and Technology (NIST) ‘s stricter standards and their expansion to include industries that were not previously subject to them. They also support a large deployment of the âzero trustâ architecture. However, they also want to see the federal government lead by example – 99% think federal agencies are not doing enough to protect their own data and systems.
Security professionals support government intervention, but want to see strong leadership
The Tripwire report surveyed more than 300 IT security professionals in September, all working for organizations with 1,000 or more employees. 103 worked for a federal government agency. Respondents are very positive about NIST; none said they saw no value in it, and only about 5% said there was “little” value. The majority of those surveyed say they are “very valuable”.
Although security professionals adhere to NIST standards, they report that their organizations are slow to comply. Only about 49% of all non-federal government entities and only 46% of critical infrastructure organizations have fully adopted NIST standards (whether or not they are required to do so; there is about a 50/50 split to this. subject among this group of respondents).
There are relatively few who ignore NIST at all, around 7-9% of each respondent group. But many only respond “somewhat” after implementing NIST standards, including 46% from critical infrastructure companies.
The vast majority of security professionals, 95%, say they want the federal government to step in and take a stronger hand in getting organizations to comply with NIST. 43% say they want to see NIST standards strengthened. 39% want NIST to be mandatory for businesses outside of the federal government. 38% want to see new legislation that improves safety standards for federal government agencies.
Security professionals (99%) are even more supportive of seeing the federal government police themselves better when it comes to cybersecurity. In addition to the 38% who want to see new and improved NIST legislation, 36% want stricter enforcement. 28% expressed a wish to see the government regulate cryptocurrency as a way to reduce ransomware attacks.
The federal government’s perception of security also changes depending on where security professionals work. 43% of those who work for a federal agency believe that the government does a better job on security than the private sector; only 28% of their private sector counterparts agreed with this view. There is even greater divergence in views on how the federal government handles ransomware attacks in this direction. 81% of federal employees think the government has done a good job, with only 44% of other respondents agreeing.
Federal government confidence in cybersecurity somewhat shaken
While federal government security professionals are more likely to think they are doing a better job than the private sector, trust in general is not high. 12% of these respondents said they believe their agency is falling behind when it comes to online security, and 59% said they are barely keeping pace with threats.
Members of federal and private organizations were asked why they felt they were falling behind (if at all). Non-federal organizations were more likely to say they lacked internal expertise and resources, and were struggling because their industry had generally not been targeted until recently. An equal number (42%) believe that leadership does not prioritize cybersecurity.
Organizations that felt ahead of the threat landscape were most likely to attribute it to mindful cybersecurity leadership, adequate investment in people and tools, and motivation for these things because of the cost. potential for failure.
Concerns about cyber attacks remain about the same as they have been for some time. More than half of respondents are most concerned about ransomware, which is not surprising after the events of 2021. A quarter to a third (respondents were able to choose two main concerns) said their greatest concern concern right now was vulnerability exploits, social engineering, or credential theft. .
What has changed is that critical infrastructure companies are much more concerned about ransomware after the Colonial Pipeline and JBS incidents; 83% of these companies mention it as a major concern, compared to only 28% of federal government agencies. Almost all non-federal government respondents say that the major ransomware attacks of 2021 have also had a significant impact on their e-strategy, with 49% having already taken action in response and 35% saying they currently have plans in place to do so.
Zero Trust support is also high among all security professionals. Only 4% said they weren’t interested or didn’t know what it was. 75% say it is at least “fairly likely” that the organization will adopt it. 53% look to NIST guidelines when adopted, more than any other source. Development continues, however, with only 13% reporting that they have a âmatureâ program at present.