Survey highlights need for agencies to find, remediate IT risks more quickly

Despite the progress federal, state and local governments have made discerning what devices and applications are running on their networks, new survey results show fewer than half of agency leaders are strongly confident their organizations can identify critical risks across their IT environment within a five-day business cycle.

Asked about the ability to determine various IT risks, 54% said their agencies could determine the number of outstanding vulnerabilities in their IT environment — and 56% could determine the specifics of those vulnerabilities.

While nearly three in four (72%) respondents said their organizations can determine if software updates and patches have been implemented, only 56% can determine why those updates and patches were not implemented.

Those and other findings are part of a newly released study by Scoop News Group for FedScoop and StateScoop, which sought to gauge the ability of federal and state agencies to assess and manage risks across their IT environments. The study, which was underwritten by Tanium, is based on the responses of 193 prequalified government leaders, IT and security directors and managers, procurement staff and IT influencers.

Confronting complexity

The relative ability to assess and mitigate IT risk has consistently challenged government agencies. However, the increasing complexity of multi-cloud IT environments — and the growing reliance on out-of-network devices and applications — have made it more difficult for agencies to assess and address their IT risks.

Fewer than half (47%) of those surveyed, said their agency is able to determine the security status of endpoints that are “off-network,” such as personal devices used by employees working from home.

A key factor hindering agencies’ ability to minimize risks is their reliance on several security solutions installed over multiple years. Two-thirds of respondents at state and local agencies — and more than one-third at federal agencies — reported using six or more tools specifically for managing IT risks.

Another factor is the extent to which “agencies still don’t know what they don’t know when it comes to devices, applications and APIs interacting dynamically on their networks,” said Wyatt Kash, senior vice president at Scoop News Group, who headed up the research.

Consequently, Kash cautioned that though the results suggest agencies have made significant headway in monitoring and responding to endpoints on their networks, many executives may still be overestimating their ability to identify and mitigate looming threats.

The study also shines a spotlight on the following:

• How satisfied federal and state IT executives are with their risk management tools.
• Where their organizations are prioritizing their risk management investments.
• The working relationships between agency IT operations and security teams.
• Their confidence in the accuracy of their endpoint data.
• Their confidence in third-party vendors to meet federal security compliance standards.

“These results show that federal, state and local agencies have made much progress in reducing their attack surface, which is encouraging,” said Matt Marsden, vice president of technical account management for public sector at Tanium.

“What stood out was that agency executives often say they are certain of the endpoints they know about on their networks,” he said. “But many of our customers discover 20% more endpoints they didn’t know were on their networks once Tanium was deployed to assess their environments.”

Marsden also pointed to a recent multi-industry study by Cybersecurity Insiders which found that 55% of cybersecurity and risk management professionals estimate more than 75% of endpoint attacks can’t be stopped with their current systems. He believes it’s not enough to know what devices and applications are on your networks; but remediating vulnerabilities quickly is equally important.

The challenge for many federal, state and local agencies is the inability of most endpoint management platforms to identify unknown or unmanaged assets. Marsden cited the need for absolute certainty across all environments, not just those impacting legacy tools.

He also recommended that federal, state and local agencies consolidate network data as much as possible and reduce the number of monitoring tools they use to combine data sources and reduce IT complexity.

Read the full findings in the report “Keeping Ahead of the Risk Curve.” Proactive risk management starts with a comprehensive view of risk posture. Learn more about Tanium’s no-cost, no-obligation risk assessment.

This article was produced by Scoop News Group for FedScoop and StateScoop, and sponsored by Tanium.