Need for Increased Public, Private Collaboration to Improve Cyber Security

Increased collaboration and information sharing between the public and private sectors is needed to improve cyber security, according to a new study released by Symantec. The 2008 Critical Connections study examines each sector's information security priorities, as well as awareness of and attitudes toward the new National Cyber Security Initiative, a proposed federal initiative that would allocate more than $30 billion over the next seven to 10 years to improve cyber security.

The survey found that 68 percent of federal, 59 percent of private sector, and 48 percent of state and local respondents call for increased collaboration to improve cyber security. In addition, 78 percent of private sector respondents say they want more information from the government on cyber threats.

The study, which was conducted by O'Keeffe & Company and sponsored by Symantec and Dell, surveyed 600 IT executives: 200 federal, 200 state and local, and 200 private sector. Symantec announced the study results at the Fourth Annual Government Forum of Incident Response and Security Teams (GFIRST) National Conference in Orlando, Fla.

Across all sectors, respondents share common challenges:

• 63 percent of federal, state and local government, and private sector IT executives believe they are under increased threat compared to last year and 82 percent are placing a higher priority on information security

• 78 percent of federal, 74 percent of private sector, and 60 percent of state and local respondents stated data breaches were their primary security concern

• Organizations in all sectors say they have achieved the greatest progress in the areas of database security, threat monitoring and management, and security training

• More than half of federal and private sector respondents and one-third of state and local respondents named mobile security as a critical concern, but only 29 percent of all respondents plan to increase spending

At the same time, significant disconnects exist, but federal respondents consistently rated higher on key IT security measures:

• While the federal government is leading the charge in preparedness exercises and automating security reporting, state and local agencies and the private sector are not as diligent

• 63 percent of federal respondents report their organization has participated in cyber security preparedness exercises compared to 39 percent of private sector and 32 percent of state and local respondents

• 64 percent of federal respondents have automated threat reporting compared to 44 percent of private sector and 38 percent of state and local respondents

The study found that IT executives support the National Cyber Security Initiative but want to learn more about it. While the vast majority of all groups believe the National Cyber Security Initiative will have a positive impact on security, the survey results indicate that more education and communication is needed.

"The 2008 Critical Connections study highlights that federal, state and local, and private sector organizations recognize they must work together to establish the critical connections necessary to improve security in a shared threat environment," said Dennis Heretick, former chief information security officer for the Department of Justice and chair of the Symantec Government Symposium Advisory Board. "The federal government has a number of gifted leaders that understand the evolution of threats and deserve strong commendation for taking a dynamic approach to risk management. As such, the federal government owns a significant opportunity to share best practices with private industry and state and local government to improve information security."

"Both public and private sector organizations are dealing with a new threat landscape that extends beyond the perimeter to encompass every endpoint that connects to a network," said John McCumber, strategic programs manager for Symantec. "As the study illustrates, today's security challenges -- from preventing data breeches and ensuring the privacy of confidential data to protecting critical infrastructure -- are not limited to a single sector. By taking an information-centric approach to security, organizations can be confident in that their most critical data is protected, wherever it resides."