4 charts that will keep federal CIOs up at night

Two reports released this week show that everything — threat factors, cloud adoption and security budgets — is growing. But organizations' data may not be any safer.

Two reports released this week paint an imposing picture for anyone who is tasked with safeguarding the massive amounts of data collected by federal agencies.

In a study published Wednesday, Vormetric’s Insider Threat Report came away with some stark findings: More than 93 percent of U.S. respondents said their organizations were “somewhat or more vulnerable” to insider threats, with 59 percent of “privileged users” posing the biggest threats to organizational data.


A chart from the 2015 Vormetric Insider Threat Report that shows how many organization feel they are vulnerable to insider threats (Vormetric)

“As much as we may have hoped to believe it, the Edward Snowden affair was not our data security pinnacle,” said Andrew Kellett, lead analyst for consulting firm Ovum, which helped produce the report. “Almost half of the U.S. organizations polled experienced a data breach or failed a compliance audit in the past year – which tells us the situation has probably gotten more complicated.”


The report also found while organizations are fighting for every dollar they need to protect against all threats, where that money is being applied doesn’t always align with the biggest security weaknesses faced by IT professionals. While servers and databases pose the highest risk, the report finds that spending remains focused on endpoint and mobile security.


“The scattergun approach that sees [security budget] increases spread across a wide range of security protection solutions suggests that there is still a significant amount of firefighting going on,” the report states.

The authors of the report suggest that IT security should lessen focus on mobile devices and put more emphasis on access control technology and data encryption, which would provide peace of mind whether data is stored in the company’s own databases or in the cloud.

“Irrespective of where the data is being held, it is important to know and be able to control who gets access and what they can do with that access,” the report reads. “This provides the ability to highlight and report on misuse that could otherwise put company-sensitive data at risk.”


Yet in another report issued this week, George Mason University’s Mercatus Center, a free-marked-focused think tank, found that even as the federal government fights its own battles with cybersecurity budgets, the number of federal data breaches — including data that contained personally identifiable information — continues to rise.


A Mercatus Center Chart shows the contrast of FISMA spending compared to reported federal cybersecurity incidents. (Mercatus Center)

Using data from the Congressional Research Service and the Government Accountability Office, the study tracks spending related to the Federal Information Security Management Act from 2006 to 2013, along with the total reported number of federal information security incidents. While FISMA spending has moderately increased (the report’s author attributes the jumps and subsequent declines in spending to changes to OMB’s methodology for calculating FISMA spending), federal cybersecurity incidents have jumped 1,012 percent since 2006, from 5,503 to 61,214 in 2013.

As the number of incidents rose, so did the amount of personally identifiable information of federal personnel, veterans and civilians.


This Mercatus Center chart compares the share of personally identifiable information to overall information breached in federal cybersecurity incidents. (Mercatus Center)


“The federal government’s own failure to improve internal cybersecurity practices after years of increased spending and information-sharing among agencies calls into question the effectiveness of President Obama’s proposals to extend these policies to the private sector,” the Mercatus Center report concludes. “While cybersecurity vulnerabilities and data breaches remain a considerable problem in the private sector as well as the public sector, policies that failed to protect the federal government’s own information security are unlikely to magically work when applied to private industry.”

Combining information from both studies, it’s clear to see that federal CIOs have to manage growth on numerous levels — growth of cloud, growth of attacks, growth of threat factors — if they plan on keeping their data as safe as possible.

Read the full Vormetric report here and the Mercatus Center report here.

Greg Otto

Written by Greg Otto

Greg Otto is Editor-in-Chief of CyberScoop, overseeing all editorial content for the website. Greg has led cybersecurity coverage that has won various awards, including accolades from the Society of Professional Journalists and the American Society of Business Publication Editors. Prior to joining Scoop News Group, Greg worked for the Washington Business Journal, U.S. News & World Report and WTOP Radio. He has a degree in broadcast journalism from Temple University.

Latest Podcasts