The Impact of Public Policy on Cybersecurity
By Matt Schrader, Director of Government Relations & Public Policy
As someone who has been involved with government relations in some shape, form or fashion his entire career, I have watched as cybersecurity has grown exponentially as an issue for public policymakers to address. Cybersecurity is no longer “just” an IT issue. It is an issue that impacts all business units of a company, all government organizations, and all U.S. citizens. It is now a priority at the CEO and board of directors’ level for companies, and without question, impacts the daily lives of almost every American with regards to the protection of their information online.
So it was with great interest that Adobe commissioned the first-ever survey of cybersecurity professionals to gauge their interest in and awareness of public policy developments, and the impact those developments have on their jobs. The study involved more than 500 private and public sector U.S.-based cybersecurity professionals, from manager-level all the way to C-level executives. You can access the results here and see an infographic of survey highlights here.
It didn’t take long for the survey to turn up what I thought were some interesting findings. Alarmingly, while nine out of ten agreed that public policy affects their jobs on a daily basis, only 48% said they followed cybersecurity policy issues very closely. Even worse, only 37% felt completely prepared for upcoming policy changes and only 28% thought that the cybersecurity industry as a whole was completely prepared to deal with future public policy developments.
Compliance was a major pain point. 86% agreed that regulations make organizations focus more on compliance than on security itself, and 64% agree that their organization spent too much of their time and budget on compliance. 92% of respondents said the information security industry needs more common security standards and frameworks, with participants pointing to the lack of uniformity and clarity in current standards as a source of frustration and inefficiency.
It was also interesting to note that 88% said monitoring to detect data breaches at the file level is important for their organization. Yet of the respondents who work in the public sector*, only 49% said they have tools in place to do so. Lastly, 96% of all respondents – in the public and private sectors — agreed that modernizing technology is critical to effective government cybersecurity, yet initiatives to support IT modernization haven’t seen a commensurate level of funding support from policymakers.
The survey also revealed a stark need – and lack – of automated system patching to ensure more effective cybersecurity. While 80% of respondents said that automated system patching was important, only 44% said it was a measure that was in place at their organization. Given the fact that in many cases the majority of damage inflicted by a cyber attack is due to organizations not having implemented the latest patches to update their networks, the survey reflects a key area of focus with regards to standards and public policy.
The results call out additional findings. First, a lot of work remains to be done to help cybersecurity professionals become more aware of and have a better understanding of the impacts of public policy on their industry. It would behoove cybersecurity professionals as individuals to be more proactive in taking advantage of the various options to keep up on developments, either via numerous trade organizations, non-profit associations or targeted media outlets. Internally, the legal department is a good source of information, and if an organization is large enough, so should their internal government relations teams. Lastly, social media outlets can be a tremendous resource for following public policy events if carefully selected.
The survey also identifies a gap between priorities outlined by security professionals and the additional steps government agencies need to take to adequately protect sensitive documents. Though initiatives like the Department of Homeland Security’s Continuous Diagnostics and Mitigation (CDM) program are a promising step toward file/content-level data protection, Phase 4 (Protecting Data on the Network) of the program hasn’t yet been fully funded despite guidance from security experts. The data from Adobe’s survey drives home the need for agencies to prioritize deployment of more modern security tools, including digital rights management (DRM) and attribute-based access controls (ABAC), and update security standards to give organizations clearer paths to compliance.
The survey yielded a number of other interesting tidbits of information, and I encourage both cybersecurity professionals and public policy staffers to check out additional findings at the following link.
*Note: small sample size for government employees and contractors; n=76