SPECIAL RESEARCH REPORT
   multipronged attacks, and the lateral spread of malware, both of which 84 percent of respondents cited as main worries. At 82 percent, unauthorized access and intrusion were a close second, followed
by internal attacks at 79 percent, and social engineering or off-line manipulation of employees to divulge information at 75 percent.
To address these, respondents are increasingly seeking solutions such as machine learning and real-time visibility into network
traffic; protection of data at rest and in transit as it moves to, from and among clouds; remote wiping of data from lost or stolen mobile devices; mandatory encryption; identity and access management, especially on mobile devices; and greater control of internet of things devices.
To date, most government security focus has been on email, with 69 percent of respondents saying their agency has a process for protecting it in place, but only 28 percent are satisfied with that
Figure 2: Network security solutions done in house
As technology needs grow and change, agencies must determine what cyber oversight to keep and what to contract. This chart shows what is being done in house.
Cloud
One technology that has taken off is cloud. With policies such as
the Cloud First strategy dating to 2011, the push to the cloud has been firm and long established. Among respondents, 98 percent said they have adopted cloud, are in the process of adopting it, or are considering migrating workloads to the cloud. Of that number, 40 percent said they have fully adopted or migrated some workloads to the cloud.
Figure 3: Cloud computing challenges
Cloud has many benefits, but can increase cyber threats if not managed properly. Government IT leaders say they are most concerned about increased risks from data portability and insecure APIs.
very challenging somewhat challenging
Increased exposure due to data portability
Insecure software interfaces or APIs
Adoption of a data lifecycle management in the cloud
Clarifying “ownership” of records and data in a multitenant cloud environment
Uncertain compliance auditability Potential data loss or leakage
Still, IT managers recognize that cloud introduces security challenges, especially when it moves data beyond an agency’s four walls. Increased exposure as a result of data portability is a top concern for respondents, with 54 percent citing it as a challenge. Of that number, 20 percent said it’s very challenging. Other concerns include uncertain compliance auditability (47 percent), potential data loss or leakage (46 percent), insecure software interfaces (45 percent), clarifying ownership of data and records in multitenant clouds (43 percent), and adoption of data life-cycle management (46 percent).
So far, agencies have largely relied on cloud providers to take responsibility for security. But cloud computing requires greater vigilance with more robust data protection and governance strategies. The areas of cloud security respondents were most interested in
are evaluation of risk, governance and compliance processes, and protection of data. Twenty-four percent of respondents said they
are satisfied with their current solution for securing the physical infrastructure, and 23 percent said they’re happy with enforcement of privacy policies.
Mobility
Mobile connectivity is another area where IT managers struggle. The Telework Enhancement Act of 2010 may have focused more on government employees who would work from computers at remote
   20%
 34%
 19%
 26%
 17%
 29%
 16%
 27%
 currently have
Currently have + plan to have
Email validation Advanced analytics Virtual Private Network Behavioral analytics Real-time visibility Network segmentation
   69%
 12%
 16%
 31%
 53%
 17%
 14%
 32%
 53%
 16%
 45%
 24%
 44%
 22%
 37%
 21%
 Continuous diagnostics and mitigation (CDM)
Machine learning for detection Perimeter intrusion prevention system
solution. Other processes that agencies are already using include advanced analytics and virtual-private networks (VPNs) at 53 percent, behavioral analytics at 45 percent, and real-time visibility at 44 percent. Machine learning for detection is the least implemented at 30 percent, but the most planned: 26 percent plan to have it.
IT managers must be careful that what they implement doesn’t cause more vulnerabilities by hindering employees’ ability to get their jobs done. Among respondents, 66 percent said that employees at their agencies often must work around existing IT security policies to do their work.
In the next sections, we’ll look at how cloud, mobility and IoT are affecting the government’s cybersecurity sector.
39%
 17%
 30%
 26%
 38%
 17%