New research by Tripwire has revealed security professionals working in the federal sector want the government to play a bigger role in securing non-governmental companies.
The research report evaluated actions taken by the federal government to improve cybersecurity in 2021 and was conducted for Tripwire by Dimensional Research. It evaluated the opinions of 306 security professionals, including 103 currently working for a United States federal government agency, with direct responsibility for the security within their organisation.
According to the research, security professionals responsible for critical infrastructure believe that National Institute of Standards and Technology (NIST) standards should not only be improved and strengthened but enforced outside the federal government. This is likely because only 49% of non-governmental organisations surveyed (critical infrastructure and others) have fully adopted NIST standards, yet still identify ransomware as a primary security concern.
Federal security professionals are aligned with this thinking and also believe the government should be doing more to protect its own data and systems (99%). In fact, 24% think they are falling behind when it comes to preparedness to face new threats and breaches, citing lack of both leadership prioritisation and internal expertise and resources as primary reasons.
“It’s clear that organisations – both public and private sector – are seeking further guidance from the federal government,” said Tim Erlin, vice president of strategy at Tripwire. “Generally, long-term enforcement and implementation of cybersecurity policy will take time, but it’s important that agencies lay out a plan and measure execution against that plan to protect our critical infrastructure and beyond.”
When it comes to implementing Zero Trust Architecture, both federal and non-governmental organisations agree this strategy could materially improve cybersecurity outcomes, but only 22% say improvement is highly likely. They also agreed that integrity monitoring is foundational to a successful Zero Trust strategy (50%), or at least somewhat important (43%), but only 22% considered measuring integrity and security posture to be a core tenet of Zero Trust Architecture. Secure communication (44%), limiting individual access (39%), and identifying data sources and computing services as resources (36%) were most commonly identified.
Additionally, the survey examined where organisations track on the path to Zero Trust:
- 25% of those surveyed from the federal government described their Zero Trust implementation as mature, while only 2% of critical infrastructure organisations identified this way
- The majority of security pros – both public and private sector – described their progress toward Zero Trust adoption as needing some work, or in progress
- Security professionals look to federal government guidelines as the top source for obtaining Zero Trust strategies and best practices, followed by information from security solutions vendors, consultants, and analysts.
“It’s promising to see progress toward Zero Trust implementation, but lack of focus on integrity is where we fall short,” said Erlin. “Maintaining and understanding the integrity of an organisation’s people, processes and technology is the foundation of strong Zero Trust architecture and should be prioritised as such. Simply put, you can’t have Zero Trust without integrity.”
While hardening systems against ransomware may be a driving force for implementation now, 83% of security pros expect that something worse than ransomware may be coming. Fortunately, both federal and non-governmental organisations have responded to this year’s attacks on critical infrastructure with preventative action – 98% of agencies report progress on executive orders on cybersecurity (half say significant progress), and over 50% of non-government groups have taken specific steps to improve cybersecurity efforts.