People and Processes Outweigh Technology in Effective Government Information Security

The Non-profit International Information Systems Security Certification Consortium [(ISC)2] has announced the U.S. government-specific results of the third annual Global Information Security Workforce Study, conducted by global analyst firm IDC. According to the report, the U.S. government's efforts to improve its overall security posture through compliance with stringent information security mandates is increasing the professionalism and preparedness of its information security workforce.

The study found that public sector compliance mandates such as the Federal Information Security Management Act (FISMA) and Department of Defense Directive 8570.1, as well as concern over the large number of recent high- profile security breaches and the rise in cyber terrorism, are driving agencies to invest nearly half of their total information security budgets on personnel specialized training and certifications.

"This report clearly illustrates the U.S. Government's understanding that its information security cannot be achieved solely through the use of technology solutions; any strategy that is going to effectively protect and secure information assets and networks must be underpinned by a well-trained, educated, professionalized workforce," stated Lynn McNulty, CISSP, director of government affairs for (ISC)2.

The study found that federal, state and local governments now spend, on average, 46 percent of their total security budgets on personnel and training -- with increasing demand in the top three areas of C&A, information risk management and forensics. This statistic moves the government towards being on par with the private sector, which spends 49 percent of its security budgets on hiring and training, the study says.

The report forecasts that the growing demand for qualified information security professionals by federal, state and local governments will remain a priority for the foreseeable future, with governments seeking individuals not only with technical skills but also softer business skills in areas like collaboration, communication and negotiation to help drive management buy-in and successful execution of agency policies.

IDC used a Web-based electronic survey to collect and analyze the responses of 373 information security professionals from U.S. federal, state and local agencies and government contractors. Other highlights from the 2006 government-specific report include:

• The role of the Chief Information Security Officer (CISO) is progressing in status, thanks to changing reporting structures driven by compliance with security mandates and increased attention to security breaches. Among federal respondents, CISOs have passed CEO-equivalent managers to reach the No. 2 spot just below CIOs as the role most responsible for agencies' information security functions. Over time, IDC predicts that CISOs will be better positioned to drive government-wide awareness and promote interagency cooperation on information security efforts.
• Technologies of interest to federal, state and local governments include biometrics, wireless security and forensic tools. IDC predicts that over the next 12 to 24 months, federal, state and local governments will focus more on risk management and forensics in response to recent data breaches from malicious hackers and employee negligence.