Shows & Panels
- The 2014 Big Picture on Cyber Security
- AFCEA Answers
- Ask the CIO
- Building the Hybrid Cloud
- Connected Government: How to Build and Procure Network Services for the Future
- Continuing Diagnostics and Mitigation: Discussion of Progress and Next Steps
- Federal Executive Forum
- Federal Tech Talk
- The Intersection: Where Technology Meets Transformation
- Maximizing ROI Through Data Center Consolidation
- Moving to the Cloud. What's the best approach for me
- Navigating Tough Choices in Government Cloud Computing
- The New Generation of Database
- Satellite Communications: Acquiring SATCOM in Tight Times
- Targeting Advanced Threats: Proven Methods from Detection through Remediation
- Transformative Technology: Desktop Virtualization in Government
- The Truth About IT Opex and Software Defined Networking
- Value of Health IT
Shows & Panels
National Cybersecurity Awareness Month
Agencies face 'catch-22' in planning for cyber threats
Wednesday - 10/9/2013, 2:38pm EDT
Hord Tipton, executive director of the information security non-profit (ISC)˛ and the former chief information officer of the Interior Department, told In Depth with Francis Rose recently that agency executives and chief experience officers are in a constant state of "security catch-22."
"Our executives at this point have realized they're in a very turbulent, paradoxical time," he said. "They've got some of the toughest decisions of their careers in enterprise security. It's at the top of the list of their key priorities right now."
Executives are cognizant that they must morph their organizations in order to keep up with the advances in next generation technologies and applications. At the same time, they must make security a priority in order to protect their intellectual properties from ever-evolving threats.
"It becomes a catch-22 in that although they realize that the threats are on the increase, yet many of their security dollars and resources have been earmarked for compliance," Tipton said.
In many cases that means agencies are simply checking checklists rather than actually applying money to coming up with solutions to the security threats.
"Do you spend your money on prevention or do you spend it on mitigation and restoration of your systems?" Tipton asked. "Because, at this point, there's an increasing notion that it's not a matter of if we get hit, it's a matter of when we get hit and we have to be prepared to restore ourselves in the shortest possible time."
(ISC)˛ recently released "A View From the Top- The (ISC)˛ Global Information Security Workforce Study CXO Report," which says more and more executives are realizing they must make a decision on this issue one way or the other. More than 1,200 top security executives from around the world were surveyed for the report.
"They're having to make these tough decisions," Tipton said. "They're having to make convincing arguments to the financial aspects of their companies and their governments and make good cases that this is a real problem and it needs some real solutions."
While the use of mobile devices is often touted as contributing to an increase in productivity, the majority of the executives surveyed — some 70 percent — see those devices as a major threat to their organizations' security.
Executives also saw the evolving nature of the security threats as being a major concern for their organization. It's no longer a matter of someone just trying to break into a system from the outside, phishing and other insider threats are examples of the way systems can be vulnerable to attacks.
"Until we get better software, we get more routine awareness training within the users of all of the tools that are out there, we're not going to make any progress on the problem," Tipton said. "It's going to get worse as the days go by."