Federal Cyber Execs Say OPM Data Breach Wasn’t the Wake-up Call Many Thought It Would Be, According to (ISC)² Report
A Year Later, Over Half Believe Security Has Not Improved, 40 Percent Lack an Effective Response Plan for Future Incidents
Washington D.C., U.S.A. – May 19, 2016– More than half of federal cyber executives say they don’t agree that the government’s response to last summer’s massive Office of Personnel Management (OPM) data breach has improved their agency’s security, according to survey findings issued today in The 2016 State of Cybersecurity from the Federal Cyber Executive Perspective – An (ISC)2® Report.
The report reveals that the OPM data breach that compromised the personnel records of 21.5 million current, former and retired federal employees and contractors in June 2015 wasn’t the wake-up call many thought it would be, despite the President’s call-to-action imposed on federal agencies in the resulting “Cyber Sprint” exercise. In fact, 52 percent of respondents disagree that the exercise improved the overall security of federal information systems. Twenty-five percent of respondents said their agency made no changes in response to the OPM data breach; and still, a year later, 40 percent of respondents surveyed believe their agency lacks an effective response plan.
(ISC)2 conducted the survey (which was sponsored by KPMG LLP, the audit, tax and advisory firm) in March in order to determine the current state of cybersecurity from the perspective of executive-level federal cybersecurity leaders and to offer recommendations for advancing the government’s cybersecurity progress to the new federal chief information security officer (CISO) and other key stakeholders.
Other key findings of the survey include:
--An alarming 59 percent of respondents say that their agency currently struggles to understand how cyber attackers could potentially breach their systems, with 41 percent indicating their agency is not aware of where key assets are located.
-- Almost two-thirds (65 percent) either disagree or strongly disagree that the federal government as a whole is capable of detecting ongoing cyberattacks.
--Federal cybersecurity executives are disheartened by the current environment, with 25 percent unsatisfied or extremely unsatisfied in their jobs and considering leaving their agency; a disturbing finding given that the federal government is already struggling to populate its understaffed cybersecurity workforce with talented and experienced cybersecurity leaders and practitioners.
-- The lack of accountability was a consistent theme throughout the survey results, as 21% of respondents were unable to identify a senior leader at their agency whose sole responsibility is cybersecurity.
--Respondents indicate that certain departments within agencies do not view cybersecurity as important to their departmental functions, the most notable being human resources, purchasing/procurement and communications/public relations.
--Leaders are realizing that people can be their organization’s greatest cybersecurity asset or greatest liability, with 42 percent of respondents indicating that people are currently their agency’s greatest vulnerability to cyberattacks.
-- Cybersecurity is quickly moving away from a “one size fits all” set of standards, but the many compliance requirements do not allow for sufficient customization.
--The technology solution overwhelmingly identified by respondents for its significance as a game-changer was “predictive analytics.”
The survey, taken anonymously online and during personal interviews, includes responses from 54 cyber executives in the U.S. federal government, including those working in defense, intelligence and civilian agencies and the U.S. contracting industry. Respondents can be characterized as senior-level and highly experienced, with nearly 90 percent having worked in cybersecurity for more than 10 years and 30 percent for more than 20 years.
“There is a wealth of unique perspectives shared throughout this report,” said Dan Waddell, CISSP, CAP, PMP, (ISC)² managing director, North America Region, and director, U.S. Government Affairs. “Despite the fact that most agencies have not yet hit their stride in advancing progress, it is our hope that the recommendations in this report will positively influence upcoming business decisions and help the new federal CISO, members of Congress and staff and other federal leaders to prioritize the government’s cybersecurity resources.”
“I’m greatly concerned about the apparent lack of accountability this survey found, with 21 percent of respondents indicating there is no senior leader in their agency solely responsible for cybersecurity,” said Tony Hubbard, KPMG principal who advises federal agencies on cyber risk. “Clear reporting lines and accountability are foundations for a good cybersecurity program and we hope this report sheds light on this issue. We look forward to the appointment of a federal CISO – that’s a step in the right direction.”
Findings were released
today during a session, “The
2016 Cybersecurity Reality Check – Federal Cyber Execs Speak Out,”
that took place at (ISC)2’s 2016 CyberSecureGov training event at
the Walter E. Washington Convention
information on this session can be found at cybersecuregov.isc2.org.
The full report can be downloaded at www.isc2.org/FedCyberExecSurvey.
Formed in 1989, (ISC)² is the largest not-for-profit membership body of certified cyber, information, software and infrastructure security professionals worldwide, with over 114,000 members in more than 160 countries. Globally recognized as the Gold Standard, (ISC)² issues the Certified Authorization Professional (CAP®), Certified Cyber Forensics Professional (CCFP®), Certified Cloud Security Professional (CCSP®), Certified Information Systems Security Professional (CISSP®) and related concentrations, Certified Secure Software Lifecycle Professional (CSSLP®), HealthCare Information Security and Privacy Practitioner (HCISPP®) and Systems Security Certified Practitioner (SSCP®) credentials to qualifying candidates. (ISC)²’s certifications are among the first information technology credentials to meet the stringent requirements of ISO/IEC Standard 17024, a global benchmark for assessing and certifying personnel. (ISC)² also offers education programs and services based on its CBK®, a compendium of information and software security topics. More information is available at www.isc2.org.
© 2016, (ISC)² Inc., (ISC)², CAP, CCFP, CCSP, CISSP, CSSLP, HCISPP, SSCP and CBK are registered marks of (ISC)², Inc.
About KPMG LLP
KPMG LLP, the audit, tax and advisory firm (www.kpmg.com/us), is the U.S. member firm of KPMG International Cooperative (“KPMG International”). KPMG International’s member firms have 174,000 professionals, including more than 9,000 partners, in 155 countries.
NEWS FOR IMMEDIATE RELEASE
Courtney Jewell Beveridge
Matt Weiss, KPMG LLP