Report shows cybersecurity officials feel understaffed and demoralized

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.dailydot.com/politics/privacy-governance-report-2015/

> From the IRS to the Office of Personnel Management to the White House's own
email system, it seems like barely a week goes by without some new
revelation about a cybersecurity failure within the U.S. government.
Despite its best efforts, the government appears increasingly outgunned in
the war against hackers.

A report released this week by a cybersecurity trade organization may give
some insight into why that might be the case.

Conducted by the International Association of Privacy Professionals, the
inaugural Privacy Governance Report aggregates information from interviews
with 791 professionals working in the North American electronic privacy
industry across the public and private sectors. The report found that,
within government, officials tasked with maintaining the security of
information gathered from American citizens feel understaffed,
under-resourced, and demoralized in terms of their own prospects for career
advancement.

The result is a situation where the public sector's ability to combat the
rapidly evolving array of cybertheats aimed at it on a daily basis lags far
behind that of private companies.

Seventy percent of privacy professionals working in government said their
budget isn't sufficient to meet their obligations to protect citizens' data
and 63 percent reported that their organizations don't spend enough money
on training. For the entire profession as a whole, those numbers were 59
and 48 percent, respectively.

When it comes to prospects for advancement, public sector respondents were
10 percent more likely to say there was little to no opportunity for upward
mobility for them within their group or within their organization as a
whole than private sector employees.

The implications for these numbers are worrisome. Managing privacy within
large organizations is a rapidly growing field. It took about a decade for
the International Association of Privacy Professionals to grow its
membership to 10,000 people. It was able to double that number to more than
20,000 in the past two years alone.

People with the skills to deal with privacy vulnerabilities are in
extremely high demand. The survey found that about one-third of its member
respondents were making more than $150,000. The demand for people with
these skills far exceeds the supply across the board. As such, the lower
levels of job satisfaction in the public sector indicate the obstacles that
stand in the way of government agencies getting the manpower they need.

“Government respondents indicate that the budgets they are working with are
significantly smaller than for their private-sector counterparts. Also, the
job opportunities they see in this space are more limited,” explained Omer
Tene, vice president of education and research at International Association
of Privacy Professionals. “The bottom line is that the government seems to
be investing less resources when it comes to privacy. “

Tene noted government agencies start from a difficult position when
attempting to recruit top tech talent. “In every field, not only in
privacy, a job at Apple or Googlewill typically be more attractive and
alluring for a recent graduate than a job at the IRS,” he said, but adding
that public service has its own allure. “On the other hand, working for
government also has tremendous benefit in terms of the level of interest.
You might be dealing with top policy issues that it would take you 20 years
in the private sector to even start reaching. High-level policy issues,
engagement with senior officials from different private-sector businesses
or international. There's a trade-off there and I think government still
have the ability to attract good talent. I wouldn't write them off.”

Apple may have more cash on hand than the U.S. government, but the study
also reveals a possibly more fundamental, if counter-intuitive, fault line
dividing the organizations that make privacy a fundamental part of their
missions—and therefore allocate resources thusly—and those that don't.

The report drew a distinction between “regulated” industries—like banking
and healthcare, where the government has imposed strict rules on how
customer data is handled—and “unregulated” ones like software and retail,
where individual companies have a lot more leeway. The report found that,
contrary to what one might think, privacy professionals in the unregulated
industries reported a tendency among their firms to value their work more
highly and expend more resources making privacy core to their mission.

The explanation here is that the existence of strong regulations can shift
perceptions. When there are strong rules in place across an industry,
managing privacy becomes an issue of regulatory compliance. Companies see a
set of rules and, by and large, adhere to them, but don't necessarily go
far beyond that. On the other hand, in the unregulated sector, there's a
tendency among companies that have dedicated privacy teams to view a
commitment to protecting user data as something that differentiates them
from their competitors. It becomes essential to their mission, rather than
just a a box to check to keep regulators off their backs.

In a sense, Tene argues, government can be viewed as just another (highly)
regulated industry.

“We've been arguing for years that privacy should be seen as a strategic
business driver. You see that unregulated companies are getting that
because they realized it impacts their brand and their reputation,” Tene
said. “If you pigeonhole privacy as just another regulatory matter, it
becomes something that that compliance officer deals with.”

While some businesses in regulated industries, at the least the ones on the
cutting edge, are expanding their privacy programs as a way to separate
themselves from the competition, Tene hopes this mindset will expand to the
public sector in light of the recent string of major security breaches.

“It's important for people who head departments—whether it's IRS or the
Department of Justice or the Department of Homeland Security—to understand
how important privacy is and that brand and reputation are important things
for a government also,” he said. “They don't have consumers and there's no
competition typically for governments, it's still your constituency and the
citizens are the ones who are funding you. The first step is just to
recognize the importance of this issue, which will help drive resources and
budgets.”

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!