Information security experts routinely chide government agencies with the adage “compliance doesn’t guarantee security.” But a chief information security officer of a well-recognized federal agency cautioned technology providers against denigrating the role and importance compliance still plays in protecting federal data.
“We know compliance is not the complete answer. But the level of security comes with a level of compliance,” argued the agency CISO, citing Target’s costly data breach in 2013 as a failure of compliance over technology. He made his remarks during a not-for-attribution roundtable on data security, hosted in Washington, D.C., this week by Vormetic, a San Jose, California-based data security provider.
The debate over compliance and security marked a flashpoint in a broader discussion over the growing disconnect between how U.S. enterprises are spending the bulk of their security budgets and what’s actually needed to deter the rise of data theft.
According to 451 Research, which analyzes IT businesses and trends globally, nearly $40 billion is spent annually on information security products. Much of that spending by U.S. companies, and government agencies in particular, appears increasingly misplaced, contends Garrett Bekker, senior security analyst for 451 Research.
“Our global survey results showed that in many ways, security professionals are like generals fighting the last war,” Bekker. said
He pointed to the survey’s findings, which looked at a variety of industries including government, that suggests a majority of federal IT spending for security is still going toward legacy security technologies, like intrusion detection systems.
Among federal government respondents in the survey, for instance, it showed that network defenses were the top-ranked category for increased spending over the next 12 months — cited by 53 percent of federal respondents — compared to just 37 percent who planned to spend more on protecting data at rest.
Bekker put that into perspective, noting that 60 percent of federal respondents believe network defenses are “very effective” — higher than any other vertical industry 451 Research measured. Similarly, feds take a relatively dim view of data-at-rest defenses, with only 68 percent of federal respondents rating it as an effective approach, the lowest of any vertical the firm measures, and below the U.S. average of 75 percent.
Even if agencies shifted more of their spending toward data protection technologies, that still won’t fully address the fallibility of humans working with the network systems, other CISOs at the roundtable said. Agencies are doing more to automate processes, to reduce human errors, according to one agency chief technology officer at the roundtable. “Humans are still the weak link,” another CISO said.
While a surge of new products and applications now make it easier to detect breaches and system anomalies, they’ve also made the job of maintaining those systems more complex, which introduces additional vulnerabilities. That makes compliance with federally mandated security practices all the more important, as agencies move to the cloud and more and more devices and applications interact with agency data systems, CISOs said.
“You still have to make sure people follow the rules,” otherwise, said one CISO, “it begs the question, ‘What did all that spending buy me?’”
Contact the writer on this story via email at firstname.lastname@example.org, or follow him on Twitter at @WyattKash. Subscribe to the Daily Scoop for stories like this in your inbox every morning by signing up here: fdscp.com/sign-me-on.