Towards the end of 2016, Thales e-Security, in conjunction with 451 Research, conducted a comprehensive global survey of security professionals to get a pulse on the state of the security industry’s level of preparedness to deal with threats to data, both from insiders as well as external threat actors. The results of that study included a Global Threat Report, as well as several regional and vertically-focused reports including one focused on the federal government sector. One of the new aspects in this year’s report was the inclusion of responses from federal government sector participants from other countries: Japan, Mexico, Brazil, Australia, UK and Germany.
Overall, the key takeaways from Thales’ Federal report were generally inline with those of the global report: security spending is up sharply, but so are breaches, reflecting a seemingly endless arms race in which we collectively keep spending more and more on security without actually making headway against the bad guys.
So data security practitioners are chasing their own tails, spending on security approaches that have worked in the past but are no longer the most effective at stopping modern breaches. To make matters worse, a new question this year revealed that nearly two-thirds (63%) of respondents are deploying new technologies in advance of having appropriate levels of data security in place in their organizations. As things like Big Data, Cloud, IoT and containers represent a greater proportion of our IT infrastructure, we face the likelihood of being even less prepared to address new security threats.
For many federal governments around the world, the security problem is compounded by a ‘perfect storm’ of antiquated systems, tight budgets, and being a prime cyber-crime target for a variety of threat actors. This has created a stressful environment for many federal sector cyber security practitioners.
More specifically, while security spending is expected to increase for both U.S. Federal and global federal respondents, both lag virtually every other country and vertical market surveyed. In the U.S. Federal sector, for example, 61% plan to increase security spending this year (61%) vs. 58%, last year, while 58% of Global Federal respondents plan similarly. However, this trails the global average of 73% by a notable margin, and only Japan (54%) is lower.
Budget constraints and staffing shortages are both cited by U.S. Federal and Global Federal respondents as the top barriers to data security initiatives. Specifically, 53% of U.S. Federal respondents cited lack of staff as a chief barrier to data security initiatives, well above the global and U.S. averages of 36% each. And with fewer resources at their disposal, it’s no wonder that more than one-third of all U.S. Federal respondents (34%) said their agency was breached in the last 12 months, well ahead of the global average (26%).
So what can resource-constrained cybersecurity practitioners in the federal sectors do to help increase the security posture and address new threats? For starters, federal cybersecurity personnel would do well to start thinking about a new approach to security. Old habits die hard, and like most sectors, network security tops the list for both U.S. and Global Federal sectors both in terms of spending plans for the upcoming year (62% U.S. Federal and 58% Global Federal), but also in terms of overall effectiveness at protecting against data breaches. (72% U.S. Federal and 77% Global Federal). Yet as cloud and other platforms and architectures such as Big Data, IoT and Containers gain adoption, network-based protections will become increasingly less relevant.
In our view, the latter call out for methods that secure sensitive data directly, such as data discovery and classification, DLP, data access governance, encryption and tokenization. Yet both U.S. and Global Federal respondents are less inclined to deploy data security measures than the rest of the world in nearly every category. For example, only 12% of U.S. Federal and 14% of Global Federal respondents plan to implement data activity monitoring this year, barely half the global average of 23%; just 9% of U.S. Federal users report they will implement database/file encryption vs. 22% globally; and just 24% of U.S. Federal organizations will deploy encryption with bring-your-own-key or BYOK management for cloud deployments, well below the 39% global average.
One way to get started might be to realize that data security is a process and not a quick fix. Many firms looking to start out with data security have goals that are either too vague, or too ambitious to start out with. Rather than trying to boil the ocean and ‘encrypt everything’, firms should first start out by identifying the most critical assets to protect, perhaps by using data discovery or data classification.
Another suggestion is to start out with vendors you may already have a relationship with. Vendor proliferation is a big and growing problem in security, with over 1,500 vendors, many of which offer largely point solutions. Before bringing in yet another new vendor, it may be that one of your existing vendors may be able to address some of your data security needs. Regardless of whether you go with an existing vendor or a new one, vendors that offer a variety of data security products within a single platform or architecture can also help avoid vendor sprawl.
Lastly, federal agencies that are strapped for cash and/or resources might look to a growing array of services-based data security offerings. Some managed security services providers (MSSPs) are providing data security, as are some cloud providers, and in both cases the latter typically offer white-labeled products from data security vendors. Vendors are also getting in on the services act as well, with services such as managed DLP services, cloud-based hardware security modules (HSMs) and encryption key management-as-a-service. The combination of the above can help firms add data security to their security posture will helping address some of the typical challenges of complexity, costs and staffing constraints.