Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

SolarWinds Public Sector Cybersecurity Survey Report 2020

1.043 visualizaciones

Publicado el

SolarWinds (NYSE:SWI), a leading provider of powerful and affordable IT management software, released the findings of its sixth annual Public Sector Cybersecurity Survey Report. This year’s survey includes responses from 400 IT operations and security decisionmakers, including 200 federal, 100 state and local, and 100 education respondents. This is the first year the survey includes state, local, and education (SLED) respondents.

Publicado en: Tecnología
  • Sé el primero en comentar

  • Sé el primero en recomendar esto

SolarWinds Public Sector Cybersecurity Survey Report 2020

  1. 1. SolarWinds Public Sector Cybersecurity Survey Report February 2020 © 2020 Market Connections, Inc. © 2020 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED
  2. 2. 2 PRIMARY OBJECTIVES: • Determine challenges faced by public sector IT professionals and sources of IT security threats • Evaluate cybersecurity capabilities and factors that have impacted IT security and policies • Identify IT team structures, how IT security operations are sourced, and their level of success • Determine if organizations segment users by risk level, the challenges associated with segmentation, and the perceived risk associated with different user types • Identify privileged users and if organizations are using a Zero-Trust approach to IT security SolarWinds contracted Market Connections to design and conduct an online survey among 400 public sector IT decision makers and influencers in December 2019 through January 2020. SolarWinds was not revealed as the sponsor of the survey. Methodology 2 © 2020 Market Connections, Inc. © 2020 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED
  3. 3. 2% 2% 4% 5% 6% 12% 13% 15% 21% 22% 0% 10% 20% 30% Federal judicial branch Federal legislature Intelligence agency County government City/Municipal government Education: Higher education (Hi-Ed) Education: K-12 State government Department of Defense or military service Federal civilian or independent government agency Organization Type OrganizationsRepresented 3 Which of the following best describes your current employer? N=400 RESPONDENT CLASSIFICATIONS © 2020 Market Connections, Inc. © 2020 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED Count Percent Federal government 200 50% State and local government 100 25% Education 100 25% All respondents work for the public sector with half in the federal government, one-quarter in state and local government, and one-quarter in education.
  4. 4. 2% 21% 26% 51% 0% 20% 40% 60% 500,000 – 999,999 1 million – 4.9 million 5 million – 9.9 million 10 million+ State and Local Population SLEDPopulationandEnrollment 4 A range of state and local populations and school enrollments are represented in the sample. Smaller state, local, and education (SLED) populations and enrollments were excluded from participating. [STATE, COUNTY, OR CITY GOVERNMENT] What is the estimated population of the [“state,” “county,” OR “city”] that you work for? [EDUCATION: K-12] How many total students are currently enrolled at the school(s) where you are involved with IT security and/or IT operations and management? [EDUCATION: HIGHER EDUCATION] How many students are currently enrolled at your college or university? 21% 31% 19% 21% 8% 0% 10% 20% 30% 40% 2,000 – 4,999 5,000 – 9,999 10,000 – 19,999 20,000 – 39,999 40,000+ Higher Education Enrollment RESPONDENT CLASSIFICATIONS © 2020 Market Connections, Inc. © 2020 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED N=100 17% 13% 12% 13% 6% 21% 17% 0% 10% 20% 30% 40% 250 – 499 500 – 749 750 – 999 1,000 – 1,499 1,500 – 1,999 2,000 – 4,999 5,000+ K-12 Enrollment N=52 N=48
  5. 5. 6% 24% 31% 48% 51% 51% 58% 0% 10% 20% 30% 40% 50% 60% 70% Other involvement Make the final decision - financial aspects Make the final decision - technical aspects Develop technical requirements Manage or implement security/IT operations Evaluate or recommend firms On a team that makes decisions Decision-MakingInvolvement 5 All respondents are knowledgeable or involved in decisions and recommendations regarding IT operations and management and IT security solutions and services. How are you involved in your organization’s decisions or recommendations regarding IT operations and management and IT security solutions and services? (select all that apply) N=400 Note: Multiple responses allowed RESPONDENT CLASSIFICATIONS © 2020 Market Connections, Inc. © 2020 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED
  6. 6. JobFunctionandTenure 6 A variety of job functions and tenures are represented in the sample, with most being IT management and working at their current organization for 5-9 years, followed by a large proportion working 20+ years. Which of the following best describes your current job title/function? How long have you been working at your current organization? 10% 3% 6% 7% 9% 20% 46% 0% 10% 20% 30% 40% 50% Other CSO/CISO CIO/CTO Security/IA staff Security/IA director or manager IT/IS staff IT director/manager Job Function 3% 6% 9% 26% 18% 16% 23% 0% 10% 20% 30% 40% <1 Year 1-2 Years 3-4 Years 5-9 Years 10-14 Years 15-19 Years 20+ Years Tenure RESPONDENT CLASSIFICATIONS Examples Include: • COO • Executive Director • Senior Program Manager/Program Supervisor © 2020 Market Connections, Inc. © 2020 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED N=400
  7. 7. LocationofITSecurityProducts 7 IT security products are located primarily on-premises or in a private cloud. The respondents’ preferred location of these products is similar to the current location. Where are the IT security products your organization uses currently? Where would you prefer these products to be located? (select all that apply) 68% 50% 19% 15% 57% 52% 16% 18% 0% 10% 20% 30% 40% 50% 60% 70% 80% On-premises/traditional data center Government (private) cloud Public cloud Hybrid cloud Currently located Preferred location RESPONDENT CLASSIFICATIONS © 2020 Market Connections, Inc. © 2020 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED N=400 Note: Multiple responses allowed Currently located Federal State & Local Education Government (private) cloud 62% 58% 19% Public cloud 16% 14% 31% = statistically significant difference Preferred location Federal State & Local Education Government (private) cloud 64% 55% 24% Public cloud 13% 14% 25%
  8. 8. ITSecurityObstacles IT SECURITY OBSTACLES AND THREATS What is the most significant high-level obstacle to maintaining or improving IT security at your organization? Budget constraints top the list of significant obstacles to maintaining or improving organization IT security. 1% 4% 5% 7% 8% 8% 10% 14% 16% 27% 0% 5% 10% 15% 20% 25% 30% Other Lack of technical solutions available at my organization Lack of clear standards Inadequate internal collaboration with other teams Lack of top-level direction and leadership Lack of training for personnel Lack of manpower Competing priorities and other initiatives Complexity of internal environment Budget constraints 8 © 2020 Market Connections, Inc. © 2020 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED N=400
  9. 9. ITSecurityObstaclesbyOrganizationType IT SECURITY OBSTACLES AND THREATS What is the most significant high-level obstacle to maintaining or improving IT security at your organization? Education respondents indicate more so than other public sector groups that budget constraints (driven by K-12) and lack of training for personnel are obstacles to maintaining or improving IT security. Federal respondents indicate the complexity of the internal environment more than other public sector respondents. While budget constraints have declined since 2014 for the federal audience, the complexity of the internal environment as an obstacle has increased. 9 © 2020 Market Connections, Inc. © 2020 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED N=400 Federal State & Local Education Budget constraints 24% 27% 35% Complexity of internal environment 21% 13% 8% Lack of training for personnel 6% 7% 14% = statistically significant difference K-12 Hi-Ed Budget constraints 44% 25% Federal 2014 2019 Budget constraints 40% 24% Complexity of internal environment 14% 21%
  10. 10. Sourcesof SecurityThreats IT SECURITY OBSTACLES AND THREATS What are the greatest sources of IT security threats to your organization? (select all that apply) Careless/untrained insiders are noted as the largest source of security threats at public sector organizations. 10 © 2020 Market Connections, Inc. © 2020 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED N=400 Note: Multiple responses allowed 3% 1% 13% 16% 21% 27% 28% 29% 46% 52% 0% 10% 20% 30% 40% 50% 60% None of the above Other Industrial spies Terrorists For-profit crime Hacktivists Malicious insiders Foreign governments General hacking community Careless/untrained insiders
  11. 11. Sourcesof SecurityThreatsbyOrganizationType IT SECURITY OBSTACLES AND THREATS What are the greatest sources of IT security threats to your organization? (select all that apply) Education respondents note the general hacking community as a source of security threats significantly more so than other public sector groups. More federal civilians than defense also note the general hacking community. Federal and state and local respondents (particularly state respondents) indicate foreign governments as a threat more so than education respondents indicate. Significantly more federal (particularly defense) and state and local respondents than education indicate terrorists as a threat. For careless/untrained insiders (the top source of threats overall), there are no significant differences between organization types. 11 © 2020 Market Connections, Inc. © 2020 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED N=400 Note: Multiple responses allowed = statistically significant difference Federal State & Local Education General hacking community 40% 51% 54% Foreign governments 48% 18% 4% Terrorists 22% 15% 3% State Local Foreign governments 25% 7% Defense Civilian General hacking community 33% 47% Terrorists 30% 15%
  12. 12. Sourcesof SecurityThreats – FederalTrend IT SECURITY OBSTACLES AND THREATS What are the greatest sources of IT security threats to your organization? (select all that apply) The top three sources of security threats have remained the same for the federal audience since 2014. There are no significant changes from 2018 to 2019. 12 © 2020 Market Connections, Inc. © 2020 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED N=200 Note: Multiple responses allowed Federal 2014 2015 2016 2017 2018 2019 Careless/untrained insiders 42% 53% 48% 54% 56% 52% Foreign governments 34% 38% 48% 48% 52% 48% General hacking community 47% 46% 46% 38% 48% 40% Hacktivists 26% 30% 38% 34% 31% 26% Malicious insiders 17% 23% 22% 29% 36% 29% Terrorists 21% 18% 24% 20% 25% 22% For-profit crime 11% 14% 18% 17% 15% 20% Industrial spies 6% 10% 16% 12% 19% 16% = top three sources
  13. 13. 3% 2% 2% 1% 1% 2% 1% 1% 2% 1% 1% 1% 1% 1% 19% 12% 10% 12% 13% 13% 11% 12% 9% 12% 11% 12% 6% 8% 42% 43% 44% 41% 39% 37% 37% 36% 35% 34% 31% 32% 36% 35% 28% 30% 32% 34% 33% 35% 37% 36% 36% 35% 39% 36% 37% 35% 10% 13% 13% 13% 14% 14% 15% 16% 18% 19% 19% 20% 20% 21% 0% 20% 40% 60% 80% 100% Supply chain and external dependencies management Auditing the environment Workforce management Event management Asset, change, and configuration management Situational awareness Information sharing and communications Risk management Patch management Threat and vulnerability management Continuity of operations Incident response Endpoint protection Identity and access management Non-existent Low Moderate High Very highMaturity: OrganizationMaturity ORGANIZATION PROFILE AND EVALUATION Thinking about your organization’s maturity of its cybersecurity capabilities, how would you rate each of the following? Identity and access management and endpoint protection are rated highest in terms of organization maturity of its cybersecurity capabilities. Supply chain and external dependencies management is rated the lowest. 13 © 2020 Market Connections, Inc. © 2020 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED N=400 % Very High/ High 56% 57% 55% 57% 54% 54% 51% 51% 49% 47% 46% 45% 43% 37%
  14. 14. OrganizationMaturitybyOrganizationType ORGANIZATION PROFILE AND EVALUATION Thinking about your organization’s maturity of its cybersecurity capabilities, how would you rate each of the following? Federal respondents’ ratings are significantly more mature than state and local and education respondents in many cybersecurity capabilities. State respondents also tend to be more mature in their capabilities than local respondents. Hi-Ed respondents are more mature than K-12. 14 © 2020 Market Connections, Inc. © 2020 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED N=400 % Very High/High Federal State & Local Education Identity and access management 65% 53% 42% Endpoint protection 65% 53% 45% Incident response 64% 53% 40% Continuity of operations 64% 48% 53% Threat and vulnerability management 64% 46% 41% Patch management 61% 49% 45% Risk management 59% 46% 41% Information sharing and communications 57% 48% 44% Situational awareness 57% 40% 43% Asset, change, and configuration management 57% 33% 43% Event management 53% 42% 37% Workforce management 53% 38% 36% Auditing the environment 51% 36% 34% = statistically significant difference % Very High/High K-12 Hi-Ed Identity and access management 33% 52% Incident response 29% 52% Continuity of operations 40% 67% Threat and vulnerability management 31% 52% Patch management 35% 56% Risk management 31% 52% Information sharing and communications 31% 58% Asset, change, and configuration management 33% 54% Workforce management 27% 46% % Very High/High State Local Identity and access management 63% 39% Patch management 58% 37% Supply chain and external dependencies management 42% 17%
  15. 15. AverageOrganizationMaturitybyOrganizationType ORGANIZATION PROFILE AND EVALUATION Thinking about your organization’s maturity of its cybersecurity capabilities, how would you rate each of the following? When averaging all cybersecurity maturity ratings, federal respondents are overall significantly more mature than state and local and education respondents. For education, Hi-Ed is significantly more mature than K-12. 15 © 2020 Market Connections, Inc. © 2020 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED N=400 = statistically significant difference 3.35 3.40 3.67 3.52 1.00 2.00 3.00 4.00 5.00 Education State and Local Federal Total Public Sector 3.18 3.53 3.31 3.46 3.60 3.74 1.00 2.00 3.00 4.00 5.00 K-12 Hi-Ed Local State Civilian Defense Average Organization Maturity (1=Non-Existent, 5=Very High)
  16. 16. % Significant/ Moderate Impact 75% 80% 68% 73% 67% 75% 70%5% 4% 6% 3% 8% 3% 5% 26% 22% 28% 24% 24% 17% 20% 49% 49% 39% 45% 38% 50% 38% 21% 26% 29% 29% 30% 31% 37% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Working with outside vendors/providers The availability of security solutions Well-publicized data breaches in the media Investment in training for employees Experiencing an actual breach in my organization Greater awareness of the sources of security risks Compliance mandates or regulations (i.e., GDPR, HIPAA, FISMA, RMF, DISA STIGs, etc.) No impact Minor impact Moderate impact Significant impact ImpactsontheEvolutionof ITSecurityPolicies ORGANIZATION PROFILE AND EVALUATION What impact do you think the following factors have had on your organization’s evolution of its IT security policies and practices? Compliance mandates or regulations and a greater awareness of the sources of security risks have had the greatest impact on the evolution of public sector IT security policies and practices. 16 © 2020 Market Connections, Inc. © 2020 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED N=400
  17. 17. ImpactsonITSecurityPoliciesbyOrganizationType ORGANIZATION PROFILE AND EVALUATION What impact do you think the following factors have had on your organization’s evolution of its IT security policies and practices? Significantly more federal than other public sector respondents think compliance mandates or regulations and investment in training for employees have impacted their organization’s evolution of its IT security policies and practices. A larger proportion of defense than civilian respondents think greater awareness of the sources of security risks and investment in training for employees have had an impact. More state respondents than local indicate compliance mandates or regulations have had an impact. A larger proportion of Hi-Ed than K-12 respondents indicate the availability of security solutions. 17 © 2020 Market Connections, Inc. © 2020 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED N=400 % Significant/Moderate Impact Federal State & Local Education Compliance mandates or regulations 79% 68% 73% Investment in training for employees 77% 72% 66% = statistically significant difference % Significant/Moderate Impact State Local Compliance mandates or regulations 80% 51% % Significant/Moderate Impact Defense Civilian Greater awareness of the sources of security risks 88% 76% Investment in training for employees 84% 71% % Significant/Moderate Impact K-12 Hi-Ed The availability of security solutions 65% 83%
  18. 18. ITOperationsandITSecurityStructure ORGANIZATION PROFILE AND EVALUATION Which statement best describes your organization’s IT operations/infrastructure team and IT security team? 18 © 2020 Market Connections, Inc. © 2020 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED N=400 51% 49% We have separate departments or teams with different staff and purpose. Our IT security efforts are absorbed by IT personnel within the same department. Federal State & Local Education We have separate departments or teams with different staff and purpose 61% 50% 31% Our IT security efforts are absorbed by IT personnel within the same department 40% 50% 69% = statistically significant difference When describing their organization’s IT operations/infrastructure team and IT security team, public sector respondents overall are split with about half having separate departments and half being within the same department. Most federal respondents indicate they have separate departments, education indicates the same department, and state and local are split between either having a separate or being within the same department.
  19. 19. 6% 5% 3% 2% 3% 4% 2% 2% 17% 12% 13% 14% 15% 11% 12% 12% 34% 34% 36% 34% 32% 32% 31% 29% 30% 32% 30% 31% 32% 33% 35% 33% 13% 17% 18% 18% 18% 19% 19% 24% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Sharing of staff Efficient use of staff’s time Sharing of resources Alignment of priorities Collaboration Communication Efficiency when working through security issues Efficient use of technologies Inferior Not quite acceptable Acceptable Good Very good ITOperationsandITSecurityTeamsRelationship ORGANIZATION PROFILE AND EVALUATION Overall, how would you rate your organization’s IT operations/infrastructure team’s working relationship with your IT security team on the following factors? When rating their organization’s IT operations/infrastructure team’s working relationship with their IT security team, respondents rate efficient use of technologies the highest. 19 © 2020 Market Connections, Inc. © 2020 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED N=202 % Very Good/ Good 57% 54% 52% 50% 50% 48% 49% 43%
  20. 20. ITOperations and ITSecurity Relationship byOrganization Type ORGANIZATION PROFILE AND EVALUATION Overall, how would you rate your organization’s IT operations/infrastructure team’s working relationship with your IT security team on the following factors? Education respondents rate efficiency when working through security issues, communication, and sharing of staff higher than ratings from federal and state and local respondents. 20 © 2020 Market Connections, Inc. © 2020 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED N=202 = statistically significant difference 55% 53% 41%44% 42% 36% 68% 68% 61% 0% 10% 20% 30% 40% 50% 60% 70% 80% Efficiency when working through security issues Communication Sharing of staff % Very Good/Good Federal State & Local Education
  21. 21. Organization’sITSecurityOperations ORGANIZATION PROFILE AND EVALUATION How are your organization’s IT security operations currently sourced? (select all that apply) The majority, and significantly more so for state and local, indicate their organization's IT security operations are sourced through in-house staff. More federal than other public sector respondents use an on-site contractor. Local respondents are more likely than state to outsource to a managed service provider. 21 © 2020 Market Connections, Inc. © 2020 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED N=400 Note: Multiple responses allowed 25% 28% 86% 0% 20% 40% 60% 80% 100% On-site contractor Outsourced to a managed security service provider In-house staff = statistically significant difference Federal State & Local Education In-house staff 82% 91% 87% On-site contractor 41% 9% 10% State Local Outsourced to a managed security service provider 15% 39%
  22. 22. ConfidenceinKeepingUpWithThreats ORGANIZATION PROFILE AND EVALUATION [IF IN-HOUSE] How confident are you that your in-house staff can keep up with today’s evolving threats by maintaining the right skills? [IF OUTSOURCED TO A MANAGED SECURITY SERVICE PROVIDER] How confident are you that your outsourced managed security service provider can keep up with today’s evolving threats? [IF ON-SITE CONTRACTOR] How confident are you that your on-site contractor can keep up with today’s evolving threats? Only four in ten public sector respondents are very confident in their team’s ability to keep up with today’s evolving threats. 22 © 2020 Market Connections, Inc. © 2020 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED 6% 6% 10% 55% 47% 49% 39% 47% 41% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% On-site contractor Outsourced to a managed security service provider In-house staff Not at all confident Somewhat confident Very confident In-house N=342 Outsourced N=113 On-site contractor N=101
  23. 23. MetricsUsedtoMeasureITSecurityTeamSuccess ORGANIZATION PROFILE AND EVALUATION What type(s) of performance metrics does your organization use to measure the success of its IT security team? (select all that apply) Incidents detected, meeting compliance goals, compliance audit results, and threats averted are the metrics used by most public sector organizations to measure the success of their organization’s IT security team. 23 © 2020 Market Connections, Inc. © 2020 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED N=400 Note: Multiple responses allowed 1% 31% 35% 36% 37% 39% 50% 52% 53% 58% 0% 10% 20% 30% 40% 50% 60% 70% Other Maintaining overall budget thresholds Mean time to detect Time it takes to patch Level of device preparedness Mean time to resolve Threats averted Compliance audit results Meeting compliance goals Incidents detected
  24. 24. MetricsUsedtoMeasureSuccessbyOrganizationType ORGANIZATION PROFILE AND EVALUATION What type(s) of performance metrics does your organization use to measure the success of its IT security team? (select all that apply) Significantly more federal than other public sector respondents indicate meeting compliance goals is used to measure the success of their organization’s IT security team. More federal and state and local respondents than education use compliance audit results to measure success. A significantly larger proportion of state and local respondents use threats averted. A larger proportion of education respondents use level of device preparedness. For incidents detected (the top metric mentioned overall), there are no significant differences between organization types. 24 © 2020 Market Connections, Inc. © 2020 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED N=400 Note: Multiple responses allowed = statistically significant difference Federal State & Local Education Meeting compliance goals 57% 53% 43% Compliance audit results 58% 53% 39% Threats averted 51% 56% 41% Level of device preparedness 34% 36% 46%
  25. 25. SegmentingAccessbyUserRiskLevel SEGMENTATION OF USERS AND ZERO-TRUST APPROACH Does your organization formally segment its users’ access to systems and data according to the level of risk associated with the user? 25 © 2020 Market Connections, Inc. © 2020 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED N=400 61% 26% 14% Yes – users are formally segmented We are in the process of that segmentation No – all users are considered equal Federal State & Local Education Yes – users are formally segmented 67% 58% 50% We are in the process of that segmentation 21% 27% 35% Defense Civilian We are in the process of that segmentation 13% 28% = statistically significant difference Over half indicate their organization formally segments its users’ access to systems and data according to the level of risk associated with the user. Significantly more federal than other public sector respondents say their users are formally segmented.
  26. 26. ChallengesSegmentingUsersbyRiskLevel SEGMENTATION OF USERS AND ZERO-TRUST APPROACH What challenges does your organization face when segmenting its users by their level of associated risk? (select all that apply) The growing number of systems users need access to, an increased number of devices, and a growing number of users are the top challenges public sector organizations face when segmenting users by their level of associated risk. 26 © 2020 Market Connections, Inc. © 2020 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED N=400 Note: Multiple responses allowed 2% 22% 24% 25% 26% 27% 27% 43% 45% 48% 0% 10% 20% 30% 40% 50% 60% Other Lack of business risk information Not enough information about the user to establish associated risk Users have multiple identities Lack of personnel to properly segment Other tasks take priority Lack of skillset to properly segment Growing number of users Increased number of devices Growing number of systems users need access to = statistically significant difference Federal State & Local Education Users have multiple identities 32% 17% 18%
  27. 27. ProportionofPrivilegedUsers SEGMENTATION OF USERS AND ZERO-TRUST APPROACH What proportion of your total users at your organization are privileged users [MOUSE-OVER DEFINITION: Privileged user accounts are authorized (and therefore, trusted) to have access on an enterprise domain, allowing them to have admin rights on, for example, their local desktops or across the systems they manage.]? The majority of respondents indicate 10 percent or less of total users at their organization are privileged users. 27 © 2020 Market Connections, Inc. © 2020 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED 6% 2% 1% 2% 4% 4% 7% 11% 14% 21% 29% 1% 0% 5% 10% 15% 20% 25% 30% 35% Unsure 100% 71 – 99% 61 – 70% 51 – 60% 41 – 50% 31 – 40% 21 – 30% 11 – 20% 6 – 10% < 5% Zero N=400 50%
  28. 28. 1% 1% 8% 10% 26% 28% 34% 41% 44% 55% 62% 0% 10% 20% 30% 40% 50% 60% 70% Other Outside vendors, partners, third parties – Non-IT Outside vendors, partners, third parties – IT Mid-level managers – Non-IT Senior managers – Non-IT C-level executives – Non-IT Mid-level managers – IT Security operations staff C-level executives – IT Senior managers – IT IT administrators DesignatedPrivilegedUsers SEGMENTATION OF USERS AND ZERO-TRUST APPROACH Who are designated as privileged users at your organization? (select all that apply) IT administrators are mentioned most often by respondents as being designated as privileged users at their organization. 28 © 2020 Market Connections, Inc. © 2020 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED Note: Multiple responses allowed N= 397 41% Have Privileged Users That Are Non-IT
  29. 29. DesignatedPrivilegedUsersby OrganizationType SEGMENTATION OF USERS AND ZERO-TRUST APPROACH Who are designated as privileged users at your organization? (select all that apply) Significantly more federal (particularly civilian) than other public sector respondents note IT administrators are designated as privileged users at their organization. More federal and state and local (particularly state) than education respondents (driven down by K-12) indicate security operations staff are privileged users. A larger proportion of education and state and local than federal (driven down by civilian) respondents note C-level executives – non-IT. A larger proportion of education respondents indicate senior managers – non-IT. More federal respondents (particularly civilian) note outside vendors, partners, third parties – IT. 29 © 2020 Market Connections, Inc. © 2020 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED Note: Multiple responses allowed N= 397 = statistically significant difference Federal State & Local Education IT administrators 68% 62% 50% Security operations staff 48% 40% 27% C-level executives – Non-IT 19% 33% 41% Senior managers – Non-IT 20% 26% 37% Outside vendors, partners, third parties – IT 13% 4% 1% State Local Security operations staff 49% 27% Defense Civilian IT administrators 61% 75% C-level executives – Non-IT 25% 13% Outside vendors, partners, third parties – IT 7% 17% K-12 Hi-Ed Security operations staff 16% 38%
  30. 30. UsingaZero-TrustApproachto ITSecurity SEGMENTATION OF USERS AND ZERO-TRUST APPROACH Is your organization currently using or considering a Zero Trust approach to IT security? [MOUSE-OVER DEFINITION: Zero trust security means that no one is trusted by default from inside or outside the network, and verification is required from everyone trying to gain access to resources on the network.] Nearly one third have a formal strategy in place and are actively implementing the Zero-Trust approach. A significantly larger proportion of state than local respondents are not using or considering a Zero-Trust approach. 30 © 2020 Market Connections, Inc. © 2020 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED 15% 24% 32% 30% 0% 5% 10% 15% 20% 25% 30% 35% I don’t know/I’m not familiar with a Zero Trust approach No, we are not currently using or considering a Zero Trust approach Yes, we are modeling our approach based on Zero Trust but there is no formal strategy in place Yes, we have a formal strategy in place and are actively implementing the approach N=400 = statistically significant difference State Local No, we are not currently using or considering a Zero Trust approach 37% 5%
  31. 31. 11% 14% 11% 7% 9% 13% 9% 8% 6% 10% 7% 25% 22% 20% 21% 17% 23% 15% 16% 18% 20% 18% 40% 40% 39% 39% 39% 37% 42% 42% 41% 40% 38% 18% 18% 23% 25% 26% 18% 25% 25% 25% 19% 25% 7% 7% 7% 8% 9% 10% 10% 10% 11% 12% 12% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Lack of out-of-the-box solutions available User identity management (multiple identities) Lack of policies and processes Device management Sprawling infrastructure Leadership/executive resistance Other IT initiatives take priority Volume of network activity Complexity of enterprise Lack of IT/security staff expertise Solutions are too costly Not at all challenging Slightly challenging Moderately challenging Very challenging Extremely challenging ChallengestoAdoptingaZero-TrustApproach SEGMENTATION OF USERS AND ZERO-TRUST APPROACH To what extent are each of the following a challenge that inhibits organizations from adopting a Zero Trust [MOUSE-OVER DEFINITION: Zero trust security means that no one is trusted by default from inside or outside the network, and verification is required from everyone trying to gain access to resources on the network.] approach to IT security? Solutions being too costly is the top challenge inhibiting organizations from adopting a Zero-Trust approach to IT security. 31 © 2020 Market Connections, Inc. © 2020 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED N=400 % Extremely/ Very Challenging 37% 30% 35% 35% 35% 27% 35% 33% 30% 24% 25%
  32. 32. Challenges toAdopting aZero-Trust Approach byOrganization Type SEGMENTATION OF USERS AND ZERO-TRUST APPROACH To what extent are each of the following a challenge that inhibits organizations from adopting a Zero Trust [MOUSE-OVER DEFINITION: Zero trust security means that no one is trusted by default from inside or outside the network, and verification is required from everyone trying to gain access to resources on the network.] approach to IT security? Complexity of the enterprise is noted as a challenge to adopting a Zero-Trust approach to IT security significantly more often by federal than other public sector respondents. More state than local respondents indicate complexity of the enterprise and lack of polices and processes are challenges. More K-12 than Hi-Ed respondents indicate lack of IT/security staff expertise and leadership/executive resistance are challenges. 32 © 2020 Market Connections, Inc. © 2020 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED N=400 % Extremely/Very Challenging Federal State & Local Education Complexity of enterprise 41% 28% 32% = statistically significant difference % Extremely/Very Challenging State Local Complexity of enterprise 37% 15% Lack of policies and processes 44% 7% % Extremely/Very Challenging K-12 Hi-Ed Lack of IT/security staff expertise 37% 19% Leadership/executive resistance 37% 15%
  33. 33. RiskAssociatedWithUserTypes SEGMENTATION OF USERS AND ZERO-TRUST APPROACH How would you rate the perceived risk associated with the following types of users as it pertains to IT security, access rights and the potential threat? Although only rated by education respondents, students are the highest risk to IT security. Overall, citizens accessing free Wi-Fi in public buildings, temporary employees/contractors (non-IT), and outside vendors, partners, and third parties are also noted as some of the highest risk users. 33 © 2020 Market Connections, Inc. © 2020 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED N=400 1% 1% 1% 1% 1% 1% 2% 2% 7% 2% 7% 7% 7% 10% 4% 6% 4% 4% 11% 3% 34% 34% 34% 33% 20% 22% 17% 22% 18% 9% 37% 36% 30% 31% 44% 34% 37% 32% 27% 37% 15% 16% 21% 17% 22% 26% 24% 26% 17% 25% 6% 7% 8% 9% 10% 12% 16% 16% 21% 24% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Mid-level managers Other IT personnel Senior leadership/executives System administrators Other employees Temporary employees/contractors (IT-focused) Outside vendors, partners, third parties Temporary employees/contractors (non-IT) Citizens accessing free Wi-Fi in public buildings Students [education only] NA None Low Moderate High Very highPerceived Risk: % Very High/ High 49% 38% 41% 40% 38% 31% 25% 29% 23% 21%
  34. 34. RiskAssociatedWithUserTypesbyOrganizationType SEGMENTATION OF USERS AND ZERO-TRUST APPROACH How would you rate the perceived risk associated with the following types of users as it pertains to IT security, access rights and the potential threat? Federal respondents rate the perceived risk associated with temporary employees/contractors (both non-IT and IT-focused) and outside vendors, partners, and third parties higher than other public sector respondents' ratings. Four in ten federal and state and local government respondents note temporary employees/contractors and outside vendors, partners, and third parties as the greatest risks to security. Education respondents rate citizens accessing free Wi-Fi in public buildings riskier than other public sector respondents' ratings. More state than local respondents find temporary employees/contractors (both non-IT and IT-focused) and outside vendors, partners, and third parties risky. 34 © 2020 Market Connections, Inc. © 2020 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED N=400 % Very High/High Federal State & Local Education Temporary employees/contractors (non-IT) 45% 41% 33% Temporary employees/contractors (IT-focused) 45% 38% 25% Outside vendors, partners, third parties 47% 40% 28% Citizens accessing free Wi-Fi in public buildings 36% 31% 49% = statistically significant difference % Very High/High State Local Temporary employees/contractors (non-IT) 53% 24% Temporary employees/contractors (IT-focused) 54% 15% Outside vendors, partners, third parties 51% 24%
  35. 35. UsersMostatRiskforDoingHarm SEGMENTATION OF USERS AND ZERO-TRUST APPROACH What percent of your organization's users do you estimate to be most at risk for potentially doing harm (either careless or malicious) to your organization? The majority estimate 10 percent or less of their organization's users are most at risk for potentially doing harm (either careless or malicious) to their organization. 35 © 2020 Market Connections, Inc. © 2020 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED 3% 1% 1% 2% 3% 4% 6% 11% 16% 22% 29% 2% 0% 5% 10% 15% 20% 25% 30% 35% Unsure 100% 71 – 99% 61 – 70% 51 – 60% 41 – 50% 31 – 40% 21 – 30% 11 – 20% 6 – 10% < 5% Zero N=400 Federal State & Local Education < 5% 32% 33% 20% = statistically significant difference 53%
  36. 36. Effectivenessof Toolsto FosterSecurity USE AND EVALUATION OF TOOLS The following are tools and practices that foster network and application security. Please indicate the effectiveness for each at your organization. Endpoint security software is the highest rated tool for effectively fostering network and application security. 36 © 2020 Market Connections, Inc. © 2020 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED N=400 9% 9% 8% 4% 6% 4% 7% 12% 3% 6% 4% 3% 11% 12% 9% 9% 8% 10% 8% 9% 11% 7% 7% 7% 47% 45% 45% 48% 46% 44% 42% 33% 40% 39% 40% 39% 33% 35% 39% 39% 40% 42% 43% 45% 47% 49% 50% 52% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% File integrity monitoring software Messaging security software Security information event management (SIEM) software Configuration management software Vulnerability management software Web application security tools Network admission control (NAC) solutions Smart card/Common access card for authentication Patch management software Password management tools Identity and access management tools Endpoint security software Do not use Low Moderate HighEffectiveness:
  37. 37. % High State Local Identity and access management tools 53% 27% Smart card/Common access card for authentication 39% 17% % High K-12 Hi-Ed Messaging security software 21% 46% % High Defense Civilian Network admission control (NAC) solutions 56% 42% Effectivenessof ToolsbyOrganizationType USE AND EVALUATION OF TOOLS The following are tools and practices that foster network and application security. Please indicate the effectiveness for each at your organization. More federal than other respondents indicate endpoint security software, identity and access management tools, patch management software, smart cards, and network admissions control solutions are highly effective at fostering network and application security at their organization. A larger proportion of defense than civilian respondents indicate NAC solutions are highly effective. More state than local respondents indicate identity and access management tools and smart cards/common access cards for authentication are effective. A larger proportion of Hi-Ed than K-12 respondents indicate messaging security software is effective. 37 © 2020 Market Connections, Inc. © 2020 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED N=400 % High Federal State & Local Education Endpoint security software 57% 41% 51% Identity and access management tools 56% 42% 48% Patch management software 51% 48% 37% Smart card/Common access card for authentication 65% 30% 21% Network admission control (NAC) solutions 49% 35% 39% = statistically significant difference
  38. 38. 38VERBATIM COMMENTS A major ongoing challenge is integrating security protocols without detriment to network latency and response times. IT AND NETWORK SYSTEMS OPERATIONS MANAGER, DEFENSE “ Security is everyone's job, but holding the team accountable is lacking. Until there are real individual accountability regimens in place, the network will remain at risk. DIVISION CHIEF, FEDERAL CIVILIAN “ Not enough manpower, money, or resources. Waiting for a ticking bomb to go off. CTO, K-12 “ Unfortunately, budget constraints and operational red tape prevents things from being as secure and efficient as they need to be. IT MANAGER, K-12 “ Please feel free to share any other comments or concerns regarding your organization’s unique security challenges or success stories. ExamplesofComments Everything starts at the top. If C-level doesn't put an emphasis on security, it puts us at risk. IT MANAGER, LOCAL GOV “ Because it is the government sector and government contracts are at play. I think that there is a ceiling when it comes to looking at innovative, out-of-the-box alternatives. SYSTEMS ADMINISTRATOR, FEDERAL CIVILIAN “ Meeting the online needs of 12,000 plus students always presents challenging security issues, but we have been able to manage without a major event so far. VP OPERATIONS, HI-ED “ Our organization operates in denial with a preference for reactionary behavior instead of operating proactively. Government agencies tend to view IT spending as throwing money into a black hole until something occurs. SR. IT PROJECT MANAGER AND ANALYST, STATE GOV “ © 2020 Market Connections, Inc. © 2020 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED Greatest challenge is always protecting data from malware and attacks from both internal and external users. DIRECTOR, STATE GOV “
  39. 39. Key Takeaways The federal audience tends to be more mature than state and local and education audiences in its IT security capabilities. • Federal respondents’ ratings are significantly more mature than state and local and education respondents in many cybersecurity capabilities. State respondents also tend to be more mature in their capabilities than local respondents, and Hi-Ed respondents are more mature than K-12. • Significantly more federal than other public sector respondents think compliance mandates or regulations and investment in training for employees have impacted their organization’s evolution of its IT security policies and practices. • More federal than other public sector respondents say their users’ access to systems and data are formally segmented according to the level of risk associated with the user. • More federal than other public sector respondents indicate endpoint security software, identity and access management tools, patch management software, smart cards, and network admissions control solutions are highly effective at fostering network and application security at their organization. 39 © 2020 Market Connections, Inc. © 2020 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED
  40. 40. Key Takeaways Budget constraints is the most significant high-level obstacle to maintaining or improving IT security in public sector organizations. • Budget constraints top the list of significant obstacles to maintaining or improving organization IT security for all public sector groups, and significantly more so for education respondents (driven by K-12). • Budget constraints have declined since 2014 for the federal audience, but still remain the top obstacle. • Solutions being too costly is the top challenge that inhibits organizations from adopting a Zero-Trust approach to IT security. 40 © 2020 Market Connections, Inc. © 2020 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED
  41. 41. Key Takeaways Complexity of the environment is one of the top challenges to improving IT security, adopting a Zero- Trust approach, and user segmentation. • Complexity of the internal environment is the second most significant high-level obstacle to maintaining or improving IT security. Federal respondents indicate the complexity of the internal environment more than other public sector respondents do. The complexity of the internal environment as an obstacle has increased since 2014 for the federal audience. • Complexity of the enterprise is one of the top challenges that inhibit organizations from adopting a Zero-Trust approach to IT security. • The growing number of systems users need access to, an increased number of devices, and a growing number of users are the top challenges organizations face when segmenting users by their level of associated risk. 41 © 2020 Market Connections, Inc. © 2020 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED
  42. 42. Key Takeaways The majority note careless/ untrained insiders as the greatest source of IT security threats at their organization. But overall, most feel their organization is keeping up with threats. • Over half note careless/untrained insiders as the largest source of security threats. • Students, citizens accessing free Wi-Fi in public buildings, temporary employees/contractors (non-IT), and outside vendors, partners, and third parties are noted as some of the highest risk users to IT security. • The majority estimate 10 percent or less of their organization's users are most at risk for potentially doing harm (either careless or malicious) to their organization. • Regardless of the method being used to source their organization’s IT security operations (in-house staff, outsourced to a managed security service provider, or on-site contractor), most are confident they are keeping up with today’s evolving threats. 42 © 2020 Market Connections, Inc. © 2020 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED
  43. 43. Contact Information Laurie Morrow, VP, Research Strategy, Market Connections, Inc. LaurieM@marketconnectionsinc.com 571-257-3845 Lisa M. Sherwin Wulf, Vice President of Americas Marketing – ITOM, SolarWinds Lisa.SherwinWulf@solarwinds.com 703-386-2628 www.solarwinds.com/government LinkedIn: SolarWinds Government 43 © 2020 Market Connections, Inc. © 2020 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED Elizabeth Lowery, Research Manager, Market Connections, Inc. ElizabethL@marketconnectionsinc.com 703-972-5875

×