Survey: Only 11 Percent of Federal IT Professionals Have Implemented the Top 20 Critical Security Controls
PORTLAND, OREGON — December 4, 2013 — Tripwire, Inc., a leading global provider of risk-based security and compliance management solutions, today announced the results of a survey on security technology trends in the federal government. The survey was conducted by Dimensional Research from September 26 through October 4, 2013, and evaluated the attitudes of 110 federal information technology professionals from military, intelligence and civilian agencies.
The National Security Agency (NSA) created a best security practices list for their customers. The list was later expanded through a large-scale community project initiated by the SANS Institute and sponsored by the Center for Strategic and International Studies (CSIS). The outcome of this project was the Top 20 Critical Security Controls (20 CSC) – a prioritized list of security best practices that were proven to help organizations combat the most common cybersecurity issues as well as reduce the greatest number of exploitable cyberattack vectors.
According to a recent U.S. Government Accountability Office (GAO) study, the number of security incidents reported by federal agencies has increased 782 percent from 2006-2012. Despite this growing number, survey results indicate that the 20 CSC have not yet been adopted by many federal agencies.
Key Tripwire survey findings:
- Only 11 percent of the respondents have implemented the 20 CSC.
- Only 53 percent consider the 20 CSC to be valuable to their organization’s security strategy.
- 66 percent do not have plans to adopt the 20 CSC at this time.
“The Top 20 Critical Security Controls were not designed to be a replacement or alternative for comprehensive risk management frameworks like FISMA,” said Tony Sager, director of programs for the Council on CyberSecurity. “Instead, the Controls bring priority and focus to complex cybersecurity problems and make it possible to align the many complex and often conflicting schemes that regulate, oversee or determine security practices. Highly knowledgeable practitioners across every business sector have agreed that these 20 Critical Security Controls stop the vast majority of the attacks seen today.”
Additional Tripwire survey finding include:
- Only 18 percent of respondents implementing controls are doing so in the order proposed.
- 79 percent use the 20 CSC as general guidelines.
- 88 percent believe the 20 CSC will complement, not replace, existing FISMA efforts.
“The 20 Critical Security Controls are easily understood by nontechnical mission owners and have been proven time and again by agencies around the world to be effective against the greatest number of targeted cyberattacks,” said Rekha Shenoy, vice president of marketing and corporate development for Tripwire. “In addition, a significant percentage of these controls can be automated, dramatically reducing the time and resources required to implement them. For example, automation of security configuration management and vulnerability management makes implementation of continuous diagnostics and mitigation very achievable. Mission owners at every agency should be asking how their security strategies stack up against the 20 Critical Security Controls.”
For more information about this survey, please visit: http://www.tripwire.com/company/research/cdm-survey-release-1-data/#part2/.
About Dimensional Research
Dimensional Research provides practical marketing research to help technology companies make smarter business decisions. Our researchers are experts in technology and understand how corporate IT organizations operate. Our qualitative research services deliver a clear understanding of customer and market dynamics.
For more information, visit www.dimensionalresearch.com.
Tripwire is a leading global provider of risk-based security and compliance management solutions, enabling enterprises, government agencies and service providers to effectively connect security to their business. Tripwire provides the broadest set of foundational security controls including security configuration management, vulnerability management, file integrity monitoring, log and event management. Tripwire solutions deliver unprecedented visibility, business context and security business intelligence allowing extended enterprises to protect sensitive data from breaches, vulnerabilities, and threats. Learn more at www.tripwire.com, get security news, trends and insights at http://www.tripwire.com/state-of-security/ or follow us on Twitter @TripwireInc.