We’re from the government and we’re not here to help
Last week the SEC announced that they are pursuing fraud charges against the CISO of SolarWinds and this has the CISO community up in arms. There are lots of people throwing stones at SolarWinds and many CISOs heaving well aimed projectiles at the Federal Government’s abrupt shift from a provider of very general open-ended “guidelines,” marginally useful threat intelligence and overlapping reporting requirements to a cyber cop ready to prosecute CISOs.
There’s been so much chatter on the abrupt shift in the Federal government’s role that we decided to try to quantify what CISOs think about the role of Federal government in cybersecurity. This survey took place earlier this year before the SEC announced their intention to charge the SolarWinds CISO and CEO.
Let’s start with how CISOs view the usefulness of current cybersecurity regulations:
Only 6% of respondents found current regulations “extremely helpful” and just 31% found them “somewhat helpful.” Nearly two-thirds of respondents (63%) said they were only marginally helpful or not helpful at all.
NIST started passing cybersecurity regulations over 50 years ago, so it’s not like the government hasn’t had time to figure out how to work with the private sector on cybersecurity regulations. We think it’s safe to say that from CISOs’ perspectives the Federal government’s track record on meaningful cyber security regulation is not impressive.
CISOs also have a lot to say about what’s wrong with the current set of regulations:
Nearly all the CISOs who took this survey say that the lack of a national standard for privacy violations is a huge problem and the lack of a standard for data breach reporting was nearly as bad. Overlapping and conflicting regulations from multiple agencies was also a major issue with nearly every respondent. And 70% of CISOs said that many regulations focus on outdated technology (looking at you, anti-virus software).
CISOs also don’t have a high opinion of the threat intelligence the U.S. Federal government provides:
Less than 10% of respondents say it’s “extremely helpful,” and while many CISOs acknowledged recent improvements, there is still a long way to go.
CISOs tell us how hard it is to access the limited intelligence provided and are frustrated by the limitations on sharing it within your organization (even if the person on your staff you want to share it with has the appropriate security clearance). There were also many caustic comments about the relative value of the type of threat intelligence being shared compared to what is available on public channels.
Given these results, it’s not surprising that most CISOs are not confident in the government’s ability to meaningfully address the cybersecurity challenges that they are grappling with every day, or those that are emerging:
These results make it clear that CISOs don’t believe that the U.S. Federal government is going to provide any “meaningful” help against entrenched threats (like ransomware) or newer threats connected with software supply chains and AI.
CISOs are not looking to the Federal government for any help on the current challenges they are grappling with and the regulations in place are more of a hinderance than a help.
When we asked CISOs for their general outlook on the probability that the U.S. Federal government will make any substantive progress on cybersecurity in the forseeable future, they were overwhelmingly negative:
We think that these results, taken together demonstrate that the Federal government’s approach to regulating cybersecurity, and partnering with the private sector to “support” the cybersecurity of critical infrastructure is actually making CISOs jobs more difficult.
What do you think?