A new report from security and compliance firm Tripwire finds that security professionals are receptive to the idea of more regulation by the federal government in the interest of improving overall organizational cyber defenses.
Specifically, security professionals broadly support stronger standards from the National Institute of Standards and Technology (NIST), and expansion of them to include industries that previously were not subject to them. They also support a broad rollout of “zero trust” architecture. However, they also want to see the federal government lead by example — 99% feel that federal agencies are not doing enough to protect their own data and systems.
Security professionals support government intervention, but want to see strong leadership
The Tripwire report surveyed over 300 IT security professionals in September, all working for organizations with at least 1,000 employees. 103 worked for a federal government agency. Respondents are very positive on NIST; none at all said they saw no value in them, and only about 5% said there was “little” value. The majority of respondents say that they are “very valuable.”
Though security professionals are on board with NIST standards, they report that their organizations are slow in getting into compliance with them. Only about 49% of all non-federal government entities and only 46% of critical infrastructure organizations have fully adopted NIST standards (whether they are required to or not; there is roughly a 50/50 split on this among this respondent group).
There are relatively few that pay no regard at all to NIST, about 7 to 9% of each respondent group. But many respond only “somewhat” having implemented NIST standards, including 46% of critical infrastructure companies.
The vast majority of security professionals, 95%, say they want to see the federal government step in and take a firmer hand in getting organizations to NIST compliance. 43% say they want to see the NIST standards beefed up. 39% want NIST to be mandatory for companies outside of the federal government. 38% want to see new legislation that improves security standards for federal government agencies.
There is even greater support among security professionals (99%) for seeing the federal government police itself better when it comes to cybersecurity. In addition to the 38% that want to see new and improved NIST legislation, 36% want to see stronger enforcement of the rules. 28% expressed a desire to see the government regulate cryptocurrency as a means of cutting down on ransomware attacks.
Perception of federal government security also flips depending on where the security professionals work. 43% of those working for a federal agency feel the government does a better job with security than private industry; only 28% of their private sector counterparts agreed with that take. There is an even bigger split in opinions on federal government handling of ransomware attacks along these lines. 81% of the federal employees think the government has done a good job, with only about 44% of other respondents in agreement.
Federal government confidence in cybersecurity somewhat shaken
While federal government security professionals are more likely to think they are doing a better job than the private sector, confidence in general is not high. 12% of these respondents said they thought their agency was falling behind in online security, and 59% said that they were barely keeping pace with the threat landscape.
Members of both federal and private organizations were asked why they feel they were falling behind (where applicable). Non-federal organizations were more likely to say that they lacked internal expertise and resources, and that they were struggling because their industry had not typically been targeted until recently. An equal amount (42%) feel that leadership does not prioritize cybersecurity.
Organizations that felt they were ahead of the threat landscape were most likely to attribute it to leadership paying attention to cybersecurity, adequate investment in personnel and tools, and motivation for these things due to the potential cost of failure.
Cyber attack concerns remain roughly the same as they have been for some time. Over half of respondents are most concerned about ransomware, unsurprising after the events of 2021. One-quarter to one-third (respondents were able to choose two top concerns) said their biggest worry at the moment was vulnerability exploits, social engineering or credential theft.
What has changed is that critical infrastructure companies are much more concerned about ransomware after the Colonial Pipeline and JBS incidents; 83% of these companies list it as a top concern, compared to only 28% of federal government agencies. Almost all non-federal government respondents say that the major ransomware attacks of 2021 also had a significant impact on their cyber strategy, with 49% having already taken action in response and 35% saying they have current plans in place to do so.
Zero trust support is also high among all security professionals. Only 4% said they either have no interest in it or don’t know what it is. 75% say it is at least “somewhat likely” the organization will adopt it. 53% look to NIST guidelines when adopting it, more than any other source. Development is still coming along, however, with only 13% saying they have a “mature” program at present.