Tripwire Survey: Security Professionals Think Federal Government Should Play a Bigger Role in Securing Private Sector

Posted on November 9, 2021

95% request additional action to ensure the security of data and systems of non-governmental organizations

PORTLAND, Ore.-Tripwire, Inc., a leading global provider of security and compliance solutions for enterprises and industrial organizations, today announced the results of a new research report that evaluated actions taken by the federal government to improve cybersecurity in 2021. Conducted for Tripwire by Dimensional Research, the survey evaluated the opinions of 306 security professionals, including 103 currently working for a United States federal government agency, with direct responsibility for the security within their organization.

According to the research, security professionals responsible for critical infrastructure believe that National Institute of Standards and Technology (NIST) standards should not only be improved and strengthened but enforced outside the federal government. This is likely because only 49% of non-governmental organizations surveyed (critical infrastructure and others) have fully adopted NIST standards, yet still identify ransomware as a primary security concern.

Federal security professionals are aligned with this thinking and also believe the government should be doing more to protect its own data and systems (99%). In fact, 24% think they are falling behind when it comes to preparedness to face new threats and breaches, citing lack of both leadership prioritization and internal expertise and resources as primary reasons.

“It’s clear that organizations - both public and private sector - are seeking further guidance from the federal government,” said Tim Erlin, vice president of strategy at Tripwire. “Generally, long term enforcement and implementation of cybersecurity policy will take time, but it’s important that agencies lay out a plan and measure execution against that plan to protect our critical infrastructure and beyond.”

When it comes to implementing Zero Trust Architecture, both federal and non-governmental organizations agree this strategy could materially improve cybersecurity outcomes, but only 22% say improvement is highly likely. They also agreed that integrity monitoring is foundational to a successful Zero Trust strategy (50%), or at least somewhat important (43%), but only 22% considered measuring integrity and security posture to be a core tenet of Zero Trust Architecture. Secure communication (44%), limiting individual access (39%), and identifying data sources and computing services as resources (36%) were most commonly identified.

Additionally, the survey examined where organizations track on the path to Zero Trust:

  • 25% of those surveyed from the federal government described their Zero Trust implementation as mature, while only 2% of critical infrastructure organizations identified this way
  • The majority of security pros - both public and private sector - described their progress toward Zero Trust adoption as needing some work, or in progress
  • Security professionals look to federal government guidelines as the top source for obtaining Zero Trust strategies and best practices, followed by information from security solutions vendors, consultants, and analysts.

“It's promising to see progress toward Zero Trust implementation, but lack of focus on integrity is where we fall short,” said Erlin. “Maintaining and understanding the integrity of an organization's people, processes and technology is the foundation of strong Zero Trust architecture and should be prioritized as such. Simply put, you can’t have Zero Trust without integrity.”

While hardening systems against ransomware may be a driving force for implementation now, 83% of security pros expect that something worse than ransomware may be coming. Fortunately, both federal and non-governmental organizations have responded to this year's attacks on critical infrastructure with preventative action - 98% of agencies report progress on executive orders on cybersecurity (nearly half say significant progress), and over 50% of non-government groups have taken specific steps to improve cybersecurity efforts.