Cybersecurity topped the list concerns in a new survey of federal IT executives.
The annual survey, conducted by Grant Thornton LLP and the Professional Services Council, polled 67 federal IT leaders about the state of the federal CIO.
In the wake of several massive cyber breaches in recent years — including one the Office of Personnel Management announced last week that affected more than 4 million current and former federal employees — the survey’s executive summary says, “it comes as no surprise that cybersecurity remains a top concern for those we interviewed. With the ever-increasing proliferation of networks, devices and applications, there has been a corresponding increase in both the number and sophistication of cyber threats.”
According to the federal technology leaders polled, 90 percent saw an increase in cyber threats in 2014, and 26 percent saw those threats increase by more than 50 percent. And while cyber spending is increasing, those same leaders said it’s not happening proportionally.
During a panel at a Professional Services Council event Monday, several federal CIOs weighed in on how they are addressing their cyber challenges.
“What needs to get done to raise the bar is understanding that we have to share the information” on breaches, said Margie Graves, deputy CIO of the Department of Homeland Security. She pointed to President Barack Obama’s cybersecurity information sharing executive order from February as step in the right direction. “Within that environment … if I see something, I say something — like DHS tagline — and it goes directly to my compatriots; they know the extent of what I’ve seen, and they’re able to get out in front of it.”
Justice Department CIO Joe Klimavicz said that given the seemingly persistent losing battle of federal cybersecurity, it might be time to rethink how agencies approach cyber.
“I often talk about separating out the software from the data. We’re still figuring out how to build bulletproof software, and somebody will figure out how to crack it,” Klimavicz said. Beyond that, though, he said agencies first need to tackle the basics — like patching, identity management and two-factor authentication — if they’re going to keep their information secure.
Talking with FedScoop, Dave Wennergren, PSC vice president of technology, spoke more candidly of some agencies’ struggles to address the most elementary cybersecurity tactics, or what he calls “basic blocking and tackling.”
“You got to get that done,” Wennergren told FedScoop. “The fact that there are federal agencies that are not using their [personal identification verification] cards — DOD demonstrated the value of using your common access card for cybersecurity, physical access security and to promote electronic business. That was a decade ago, and yet we still have people using it as a flash pass.” Wennergren served as CIO of the Navy and in several other IT leadership roles in the DOD before joining the private sector in 2013.
CIOs worry, too, that the struggle to attract top-tier cyber talent to the federal government is only going to make things harder, the survey revealed. “Respondents pointed out that it is almost impossible to compete with the commercial sector, which can offer much more lucrative salaries with bonuses. There is an ongoing war for talent, and these impediments for the government are a significant hindrance,” it said.
“All of us are struggling to hire those individuals that will take us to the next level, that will up our game, that will allow us to identify cyber threats,” Graves said. “These folks are out there, but we need to get the right kinds of high points in place and move the barriers that will allow us to hire them.”
Commerce Department CIO Steve Cooper agreed, listing it as one of his biggest struggles right now.
“We are not able to hire competitively,” Cooper said, noting that the CIO office at Commerce sustains an about 25 percent vacancy, which he attributes to the government’s inability to compete with private sector for qualified talent to replace officials who are retiring. And that’s a governmentwide trend: For every one federal IT worker younger than 30, there are 10 workers older than 50, the survey found.
At Commerce, the average age of its workforce is around 50.6 years old, Cooper said.
“We’re not doing a great job of bringing young professionals on board,” he said. “And I don’t have a terrific answer for that … It’s a big challenge.”