Last year’s White House Executive Order on Cybersecurity has had a catalytic effect in focusing increased attention on holistic cybersecurity practices, according to a new survey of federal IT officials.
Half of agency IT and security officials polled in the survey described the executive order as “greatly needed” — and another 30% called it “game-changing” — in getting agency leaders to commit resources toward critical cybersecurity projects.
Three-quarters of survey respondents reported that their fiscal 2022 IT security budgets had been increased to meet White House requirements, and 44% said that those budgets had increased by more than 10%.
The study, conducted by FedScoop and CyberScoop and underwritten by Lookout, also found that 3 in 4 federal IT executives surveyed reported that their agency had developed 75% or more of the IT and cybersecurity strategies required of them by the executive order.
The findings are based on the completed responses of 162 prequalified executives and IT decision-makers and contractors working at federal civilian, defense and intelligence agencies in an online survey conducted in December.
The study did not examine what IT projects or priorities may be getting less attention in order to meet the administration’s cybersecurity mandates. It focused instead primarily on:
- IT leaders’ perceptions on the maturity of their agencies’ zero-trust strategies.
- The capabilities their agencies have in place to manage security.
- The level of movement toward Secure Access Service Edge (SASE) security solutions as more computing activity occurs at the edge of agency networks.
- The challenges agencies continue to face to fortify their overall security.
Among the key findings:
Zero-trust practices are still maturing. Executives were asked whether they considered their agency’s zero-trust policies and configurations as “traditional,” “advanced,” or “optimal” across five key areas — data, devices, identity and access, application workloads and network applications. Fewer than 30% characterized their zero-trust maturity practices as “optimal,” with only 19% describing their identity and access practices “optimal,” suggesting that agencies have a long way to go to establish zero-trust environments.
Cyber risk-management gaps remain. Federal IT leaders indicated they are equipped to manage some security risks better than others. Two-thirds of respondents said they are able to continuously assess risks on traditional endpoints, but only half could do the same for mobile devices. And only 4 in 10 are able to provide dynamic granular access, verify cloud configurations, or secure data regardless of where it goes, suggesting agencies will need greater help in these areas.
EDR capabilities appear widely implemented. On a brighter note, two-thirds or more of respondents said their agency can conduct a variety of Endpoint Detection and Response (EDR) activities consistently to detect and block issues, for instance, with insecure mobile devices, advanced persistent threats and polymorphic (evolving) malware.
Issues impeding zero-trust. The top challenges to establishing zero-trust environments are similar to the ones agencies face in modernizing as a whole: Complexity of their environment; conflicting IT priorities; the interdependency of existing technology; and limited budget and staff resources.
Agencies embrace SASE – Among other solutions to improve security, 86% of respondents said their agency is moving toward Secure Access Service Edge (SASE) solutions to better control applications, devices, users and workloads operating at the network edge. The growing focus on SASE suggests ways that newer technology solutions can help compensate for limitations in legacy systems.
Download the full study, “Securing the Edge, for detailed findings, including breakouts tables on how civilian, defense and intelligence respondents — and system integrators and government contractors — occasionally see things differently in the progress agencies are making toward zero trust.
This article was produced by FedScoop and CyberScoop and sponsored by Lookout, a leading provider of integrated endpoint-to-cloud security.