Weitere ähnliche Inhalte Ähnlich wie SolarWinds Public Sector Cybersecurity Survey Report 2020 (20) Kürzlich hochgeladen (20) SolarWinds Public Sector Cybersecurity Survey Report 20202. 2
PRIMARY OBJECTIVES:
• Determine challenges faced by public sector IT professionals and
sources of IT security threats
• Evaluate cybersecurity capabilities and factors that have impacted
IT security and policies
• Identify IT team structures, how IT security operations are
sourced, and their level of success
• Determine if organizations segment users by risk level, the
challenges associated with segmentation, and the perceived risk
associated with different user types
• Identify privileged users and if organizations are using a Zero-Trust
approach to IT security
SolarWinds contracted
Market Connections to
design and conduct an
online survey among
400 public sector IT
decision makers and
influencers in December
2019 through January
2020. SolarWinds was
not revealed as the
sponsor of the survey.
Methodology
2
© 2020 Market Connections, Inc. © 2020 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED
3. 2%
2%
4%
5%
6%
12%
13%
15%
21%
22%
0% 10% 20% 30%
Federal judicial branch
Federal legislature
Intelligence agency
County government
City/Municipal government
Education: Higher education (Hi-Ed)
Education: K-12
State government
Department of Defense or military service
Federal civilian or independent government agency
Organization Type
OrganizationsRepresented
3
Which of the following best describes your current employer?
N=400
RESPONDENT CLASSIFICATIONS
© 2020 Market Connections, Inc. © 2020 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED
Count Percent
Federal
government
200 50%
State and local
government
100 25%
Education 100 25%
All respondents work for the public sector with half in the federal government, one-quarter in state
and local government, and one-quarter in education.
4. 2%
21%
26%
51%
0% 20% 40% 60%
500,000 – 999,999
1 million – 4.9 million
5 million – 9.9 million
10 million+
State and Local Population
SLEDPopulationandEnrollment
4
A range of state and local populations and school enrollments are represented in the sample. Smaller
state, local, and education (SLED) populations and enrollments were excluded from participating.
[STATE, COUNTY, OR CITY GOVERNMENT] What is the estimated population of the [“state,” “county,” OR “city”] that you work for?
[EDUCATION: K-12] How many total students are currently enrolled at the school(s) where you are involved with IT security and/or IT operations and management?
[EDUCATION: HIGHER EDUCATION] How many students are currently enrolled at your college or university?
21%
31%
19%
21%
8%
0% 10% 20% 30% 40%
2,000 – 4,999
5,000 – 9,999
10,000 – 19,999
20,000 – 39,999
40,000+
Higher Education Enrollment
RESPONDENT CLASSIFICATIONS
© 2020 Market Connections, Inc. © 2020 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED
N=100
17%
13%
12%
13%
6%
21%
17%
0% 10% 20% 30% 40%
250 – 499
500 – 749
750 – 999
1,000 – 1,499
1,500 – 1,999
2,000 – 4,999
5,000+
K-12 Enrollment
N=52 N=48
5. 6%
24%
31%
48%
51%
51%
58%
0% 10% 20% 30% 40% 50% 60% 70%
Other involvement
Make the final decision - financial aspects
Make the final decision - technical aspects
Develop technical requirements
Manage or implement security/IT operations
Evaluate or recommend firms
On a team that makes decisions
Decision-MakingInvolvement
5
All respondents are knowledgeable or involved in decisions and recommendations regarding IT
operations and management and IT security solutions and services.
How are you involved in your organization’s decisions or recommendations regarding IT operations and management and IT security solutions and services? (select all that apply)
N=400
Note: Multiple responses allowed
RESPONDENT CLASSIFICATIONS
© 2020 Market Connections, Inc. © 2020 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED
6. JobFunctionandTenure
6
A variety of job functions and tenures are represented in the sample, with most being IT management
and working at their current organization for 5-9 years, followed by a large proportion working 20+
years.
Which of the following best describes your current job title/function? How long have you been working at your current organization?
10%
3%
6%
7%
9%
20%
46%
0% 10% 20% 30% 40% 50%
Other
CSO/CISO
CIO/CTO
Security/IA staff
Security/IA director
or manager
IT/IS staff
IT director/manager
Job Function
3%
6%
9%
26%
18%
16%
23%
0% 10% 20% 30% 40%
<1 Year
1-2 Years
3-4 Years
5-9 Years
10-14 Years
15-19 Years
20+ Years
Tenure
RESPONDENT CLASSIFICATIONS
Examples Include:
• COO
• Executive Director
• Senior Program
Manager/Program
Supervisor
© 2020 Market Connections, Inc. © 2020 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED
N=400
7. LocationofITSecurityProducts
7
IT security products are located primarily on-premises or in a private cloud. The respondents’
preferred location of these products is similar to the current location.
Where are the IT security products your organization uses currently? Where would you prefer these products to be located? (select all that apply)
68%
50%
19%
15%
57%
52%
16% 18%
0%
10%
20%
30%
40%
50%
60%
70%
80%
On-premises/traditional data center Government (private) cloud Public cloud Hybrid cloud
Currently located Preferred location
RESPONDENT CLASSIFICATIONS
© 2020 Market Connections, Inc. © 2020 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED
N=400
Note: Multiple responses allowed
Currently located Federal
State &
Local
Education
Government (private) cloud 62% 58% 19%
Public cloud 16% 14% 31%
= statistically significant difference
Preferred location Federal
State &
Local
Education
Government (private) cloud 64% 55% 24%
Public cloud 13% 14% 25%
8. ITSecurityObstacles
IT SECURITY OBSTACLES AND THREATS
What is the most significant high-level obstacle to maintaining or improving IT security at your organization?
Budget constraints top the list of significant obstacles to maintaining or improving organization IT security.
1%
4%
5%
7%
8%
8%
10%
14%
16%
27%
0% 5% 10% 15% 20% 25% 30%
Other
Lack of technical solutions available at my organization
Lack of clear standards
Inadequate internal collaboration with other teams
Lack of top-level direction and leadership
Lack of training for personnel
Lack of manpower
Competing priorities and other initiatives
Complexity of internal environment
Budget constraints
8
© 2020 Market Connections, Inc. © 2020 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED
N=400
9. ITSecurityObstaclesbyOrganizationType
IT SECURITY OBSTACLES AND THREATS
What is the most significant high-level obstacle to maintaining or improving IT security at your organization?
Education respondents indicate more so than other public sector
groups that budget constraints (driven by K-12) and lack of training
for personnel are obstacles to maintaining or improving IT security.
Federal respondents indicate the complexity of the internal
environment more than other public sector respondents.
While budget constraints have declined since 2014 for the federal
audience, the complexity of the internal environment as an
obstacle has increased.
9
© 2020 Market Connections, Inc. © 2020 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED
N=400
Federal
State &
Local
Education
Budget constraints 24% 27% 35%
Complexity of internal
environment
21% 13% 8%
Lack of training for
personnel
6% 7% 14%
= statistically significant difference
K-12 Hi-Ed
Budget constraints 44% 25%
Federal 2014 2019
Budget constraints 40% 24%
Complexity of internal
environment
14% 21%
10. Sourcesof SecurityThreats
IT SECURITY OBSTACLES AND THREATS
What are the greatest sources of IT security threats to your organization? (select all that apply)
Careless/untrained insiders are noted as the largest source of security threats at public sector organizations.
10
© 2020 Market Connections, Inc. © 2020 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED
N=400
Note: Multiple responses allowed
3%
1%
13%
16%
21%
27%
28%
29%
46%
52%
0% 10% 20% 30% 40% 50% 60%
None of the above
Other
Industrial spies
Terrorists
For-profit crime
Hacktivists
Malicious insiders
Foreign governments
General hacking community
Careless/untrained insiders
11. Sourcesof SecurityThreatsbyOrganizationType
IT SECURITY OBSTACLES AND THREATS
What are the greatest sources of IT security threats to your organization? (select all that apply)
Education respondents note the general hacking community as
a source of security threats significantly more so than other
public sector groups. More federal civilians than defense also
note the general hacking community.
Federal and state and local respondents (particularly state
respondents) indicate foreign governments as a threat more so
than education respondents indicate.
Significantly more federal (particularly defense) and state and
local respondents than education indicate terrorists as a threat.
For careless/untrained insiders (the top source of threats
overall), there are no significant differences between
organization types.
11
© 2020 Market Connections, Inc. © 2020 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED
N=400
Note: Multiple responses allowed = statistically significant difference
Federal
State &
Local
Education
General hacking community 40% 51% 54%
Foreign governments 48% 18% 4%
Terrorists 22% 15% 3%
State Local
Foreign governments 25% 7%
Defense Civilian
General hacking community 33% 47%
Terrorists 30% 15%
12. Sourcesof SecurityThreats – FederalTrend
IT SECURITY OBSTACLES AND THREATS
What are the greatest sources of IT security threats to your organization? (select all that apply)
The top three sources of security threats have remained the same for the federal audience since 2014. There are
no significant changes from 2018 to 2019.
12
© 2020 Market Connections, Inc. © 2020 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED
N=200
Note: Multiple responses allowed
Federal 2014 2015 2016 2017 2018 2019
Careless/untrained
insiders
42% 53% 48% 54% 56% 52%
Foreign governments 34% 38% 48% 48% 52% 48%
General hacking
community
47% 46% 46% 38% 48% 40%
Hacktivists 26% 30% 38% 34% 31% 26%
Malicious insiders 17% 23% 22% 29% 36% 29%
Terrorists 21% 18% 24% 20% 25% 22%
For-profit crime 11% 14% 18% 17% 15% 20%
Industrial spies 6% 10% 16% 12% 19% 16%
= top three sources
14. OrganizationMaturitybyOrganizationType
ORGANIZATION PROFILE AND EVALUATION
Thinking about your organization’s maturity of its cybersecurity capabilities, how would you rate each of the following?
Federal respondents’ ratings are significantly more mature than state and local and education respondents in
many cybersecurity capabilities. State respondents also tend to be more mature in their capabilities than local
respondents. Hi-Ed respondents are more mature than K-12.
14
© 2020 Market Connections, Inc. © 2020 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED
N=400
% Very High/High Federal
State &
Local
Education
Identity and access management 65% 53% 42%
Endpoint protection 65% 53% 45%
Incident response 64% 53% 40%
Continuity of operations 64% 48% 53%
Threat and vulnerability management 64% 46% 41%
Patch management 61% 49% 45%
Risk management 59% 46% 41%
Information sharing and communications 57% 48% 44%
Situational awareness 57% 40% 43%
Asset, change, and configuration management 57% 33% 43%
Event management 53% 42% 37%
Workforce management 53% 38% 36%
Auditing the environment 51% 36% 34%
= statistically significant difference
% Very High/High K-12 Hi-Ed
Identity and access management 33% 52%
Incident response 29% 52%
Continuity of operations 40% 67%
Threat and vulnerability management 31% 52%
Patch management 35% 56%
Risk management 31% 52%
Information sharing and communications 31% 58%
Asset, change, and configuration management 33% 54%
Workforce management 27% 46%
% Very High/High State Local
Identity and access management 63% 39%
Patch management 58% 37%
Supply chain and external dependencies
management
42% 17%
15. AverageOrganizationMaturitybyOrganizationType
ORGANIZATION PROFILE AND EVALUATION
Thinking about your organization’s maturity of its cybersecurity capabilities, how would you rate each of the following?
When averaging all cybersecurity maturity ratings, federal respondents are overall significantly more mature than
state and local and education respondents. For education, Hi-Ed is significantly more mature than K-12.
15
© 2020 Market Connections, Inc. © 2020 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED
N=400 = statistically significant difference
3.35
3.40
3.67
3.52
1.00 2.00 3.00 4.00 5.00
Education
State and Local
Federal
Total Public Sector
3.18
3.53
3.31
3.46
3.60
3.74
1.00 2.00 3.00 4.00 5.00
K-12
Hi-Ed
Local
State
Civilian
Defense
Average Organization Maturity (1=Non-Existent, 5=Very High)
16. % Significant/
Moderate
Impact
75%
80%
68%
73%
67%
75%
70%5%
4%
6%
3%
8%
3%
5%
26%
22%
28%
24%
24%
17%
20%
49%
49%
39%
45%
38%
50%
38%
21%
26%
29%
29%
30%
31%
37%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Working with outside vendors/providers
The availability of security solutions
Well-publicized data breaches in the media
Investment in training for employees
Experiencing an actual breach in my organization
Greater awareness of the sources of security risks
Compliance mandates or regulations (i.e., GDPR, HIPAA, FISMA,
RMF, DISA STIGs, etc.)
No impact Minor impact Moderate impact Significant impact
ImpactsontheEvolutionof ITSecurityPolicies
ORGANIZATION PROFILE AND EVALUATION
What impact do you think the following factors have had on your organization’s evolution of its IT security policies and practices?
Compliance mandates or regulations and a greater awareness of the sources of security risks have had the greatest
impact on the evolution of public sector IT security policies and practices.
16
© 2020 Market Connections, Inc. © 2020 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED
N=400
17. ImpactsonITSecurityPoliciesbyOrganizationType
ORGANIZATION PROFILE AND EVALUATION
What impact do you think the following factors have had on your organization’s evolution of its IT security policies and practices?
Significantly more federal than other public sector
respondents think compliance mandates or regulations and
investment in training for employees have impacted their
organization’s evolution of its IT security policies and
practices.
A larger proportion of defense than civilian respondents
think greater awareness of the sources of security risks and
investment in training for employees have had an impact.
More state respondents than local indicate compliance
mandates or regulations have had an impact.
A larger proportion of Hi-Ed than K-12 respondents indicate
the availability of security solutions.
17
© 2020 Market Connections, Inc. © 2020 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED
N=400
% Significant/Moderate Impact Federal
State &
Local
Education
Compliance mandates or regulations 79% 68% 73%
Investment in training for employees 77% 72% 66%
= statistically significant difference
% Significant/Moderate Impact State Local
Compliance mandates or regulations 80% 51%
% Significant/Moderate Impact Defense Civilian
Greater awareness of the sources of security
risks
88% 76%
Investment in training for employees 84% 71%
% Significant/Moderate Impact K-12 Hi-Ed
The availability of security solutions 65% 83%
18. ITOperationsandITSecurityStructure
ORGANIZATION PROFILE AND EVALUATION
Which statement best describes your organization’s IT operations/infrastructure team and IT security team?
18
© 2020 Market Connections, Inc. © 2020 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED
N=400
51% 49%
We have separate departments or teams with different staff and purpose.
Our IT security efforts are absorbed by IT personnel within the same department.
Federal
State &
Local
Education
We have separate departments or teams with
different staff and purpose
61% 50% 31%
Our IT security efforts are absorbed by IT
personnel within the same department
40% 50% 69%
= statistically significant difference
When describing their organization’s IT operations/infrastructure team and IT security team, public sector
respondents overall are split with about half having separate departments and half being within the same
department. Most federal respondents indicate they have separate departments, education indicates the same
department, and state and local are split between either having a separate or being within the same department.
19. 6%
5%
3%
2%
3%
4%
2%
2%
17%
12%
13%
14%
15%
11%
12%
12%
34%
34%
36%
34%
32%
32%
31%
29%
30%
32%
30%
31%
32%
33%
35%
33%
13%
17%
18%
18%
18%
19%
19%
24%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Sharing of staff
Efficient use of staff’s time
Sharing of resources
Alignment of priorities
Collaboration
Communication
Efficiency when working through security issues
Efficient use of technologies
Inferior Not quite acceptable Acceptable Good Very good
ITOperationsandITSecurityTeamsRelationship
ORGANIZATION PROFILE AND EVALUATION
Overall, how would you rate your organization’s IT operations/infrastructure team’s working relationship with your IT security team on the following factors?
When rating their organization’s IT operations/infrastructure team’s working relationship with their IT security
team, respondents rate efficient use of technologies the highest.
19
© 2020 Market Connections, Inc. © 2020 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED
N=202
% Very Good/
Good
57%
54%
52%
50%
50%
48%
49%
43%
20. ITOperations and ITSecurity Relationship byOrganization Type
ORGANIZATION PROFILE AND EVALUATION
Overall, how would you rate your organization’s IT operations/infrastructure team’s working relationship with your IT security team on the following factors?
Education respondents rate efficiency when working through security issues, communication, and sharing of staff
higher than ratings from federal and state and local respondents.
20
© 2020 Market Connections, Inc. © 2020 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED
N=202 = statistically significant difference
55% 53%
41%44% 42%
36%
68% 68%
61%
0%
10%
20%
30%
40%
50%
60%
70%
80%
Efficiency when working through
security issues
Communication Sharing of staff
% Very Good/Good
Federal State & Local Education
21. Organization’sITSecurityOperations
ORGANIZATION PROFILE AND EVALUATION
How are your organization’s IT security operations currently sourced? (select all that apply)
The majority, and significantly more so for state and local, indicate their organization's IT security operations are
sourced through in-house staff. More federal than other public sector respondents use an on-site contractor. Local
respondents are more likely than state to outsource to a managed service provider.
21
© 2020 Market Connections, Inc. © 2020 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED
N=400
Note: Multiple responses allowed
25%
28%
86%
0% 20% 40% 60% 80% 100%
On-site contractor
Outsourced to a managed
security service provider
In-house staff
= statistically significant difference
Federal
State &
Local
Education
In-house staff 82% 91% 87%
On-site contractor 41% 9% 10%
State Local
Outsourced to a managed
security service provider
15% 39%
22. ConfidenceinKeepingUpWithThreats
ORGANIZATION PROFILE AND EVALUATION
[IF IN-HOUSE] How confident are you that your in-house staff can keep up with today’s evolving threats by maintaining the right skills? [IF OUTSOURCED TO A MANAGED SECURITY SERVICE PROVIDER] How confident are you that your
outsourced managed security service provider can keep up with today’s evolving threats? [IF ON-SITE CONTRACTOR] How confident are you that your on-site contractor can keep up with today’s evolving threats?
Only four in ten public sector respondents are very confident in their team’s ability to keep up with today’s
evolving threats.
22
© 2020 Market Connections, Inc. © 2020 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED
6%
6%
10%
55%
47%
49%
39%
47%
41%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
On-site contractor
Outsourced to a managed
security service provider
In-house staff
Not at all confident Somewhat confident Very confident
In-house N=342
Outsourced N=113
On-site contractor N=101
23. MetricsUsedtoMeasureITSecurityTeamSuccess
ORGANIZATION PROFILE AND EVALUATION
What type(s) of performance metrics does your organization use to measure the success of its IT security team? (select all that apply)
Incidents detected, meeting compliance goals, compliance audit results, and threats averted are the metrics used
by most public sector organizations to measure the success of their organization’s IT security team.
23
© 2020 Market Connections, Inc. © 2020 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED
N=400
Note: Multiple responses allowed
1%
31%
35%
36%
37%
39%
50%
52%
53%
58%
0% 10% 20% 30% 40% 50% 60% 70%
Other
Maintaining overall budget thresholds
Mean time to detect
Time it takes to patch
Level of device preparedness
Mean time to resolve
Threats averted
Compliance audit results
Meeting compliance goals
Incidents detected
24. MetricsUsedtoMeasureSuccessbyOrganizationType
ORGANIZATION PROFILE AND EVALUATION
What type(s) of performance metrics does your organization use to measure the success of its IT security team? (select all that apply)
Significantly more federal than other public sector respondents
indicate meeting compliance goals is used to measure the success of
their organization’s IT security team.
More federal and state and local respondents than education use
compliance audit results to measure success.
A significantly larger proportion of state and local respondents use
threats averted.
A larger proportion of education respondents use level of device
preparedness.
For incidents detected (the top metric mentioned overall), there are
no significant differences between organization types.
24
© 2020 Market Connections, Inc. © 2020 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED
N=400
Note: Multiple responses allowed = statistically significant difference
Federal
State &
Local
Education
Meeting compliance
goals
57% 53% 43%
Compliance audit
results
58% 53% 39%
Threats averted 51% 56% 41%
Level of device
preparedness
34% 36% 46%
25. SegmentingAccessbyUserRiskLevel
SEGMENTATION OF USERS AND ZERO-TRUST APPROACH
Does your organization formally segment its users’ access to systems and data according to the level of risk associated with the user?
25
© 2020 Market Connections, Inc. © 2020 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED
N=400
61%
26%
14%
Yes – users are formally segmented
We are in the process of that segmentation
No – all users are considered equal
Federal
State &
Local
Education
Yes – users are
formally segmented
67% 58% 50%
We are in the process
of that segmentation
21% 27% 35%
Defense Civilian
We are in the process of
that segmentation
13% 28%
= statistically significant difference
Over half indicate their organization formally segments its users’ access to systems and data according to the level
of risk associated with the user. Significantly more federal than other public sector respondents say their users are
formally segmented.
26. ChallengesSegmentingUsersbyRiskLevel
SEGMENTATION OF USERS AND ZERO-TRUST APPROACH
What challenges does your organization face when segmenting its users by their level of associated risk? (select all that apply)
The growing number of systems users need access to, an increased number of devices, and a growing number of
users are the top challenges public sector organizations face when segmenting users by their level of associated risk.
26
© 2020 Market Connections, Inc. © 2020 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED
N=400
Note: Multiple responses allowed
2%
22%
24%
25%
26%
27%
27%
43%
45%
48%
0% 10% 20% 30% 40% 50% 60%
Other
Lack of business risk information
Not enough information about the user to establish associated risk
Users have multiple identities
Lack of personnel to properly segment
Other tasks take priority
Lack of skillset to properly segment
Growing number of users
Increased number of devices
Growing number of systems users need access to
= statistically significant difference
Federal
State &
Local
Education
Users have multiple
identities
32% 17% 18%
27. ProportionofPrivilegedUsers
SEGMENTATION OF USERS AND ZERO-TRUST APPROACH
What proportion of your total users at your organization are privileged users [MOUSE-OVER DEFINITION: Privileged user accounts are authorized (and therefore, trusted) to have access on an enterprise domain, allowing them to have
admin rights on, for example, their local desktops or across the systems they manage.]?
The majority of respondents indicate 10 percent or less of total users at their organization are privileged users.
27
© 2020 Market Connections, Inc. © 2020 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED
6%
2%
1%
2%
4%
4%
7%
11%
14%
21%
29%
1%
0% 5% 10% 15% 20% 25% 30% 35%
Unsure
100%
71 – 99%
61 – 70%
51 – 60%
41 – 50%
31 – 40%
21 – 30%
11 – 20%
6 – 10%
< 5%
Zero
N=400
50%
28. 1%
1%
8%
10%
26%
28%
34%
41%
44%
55%
62%
0% 10% 20% 30% 40% 50% 60% 70%
Other
Outside vendors, partners, third parties – Non-IT
Outside vendors, partners, third parties – IT
Mid-level managers – Non-IT
Senior managers – Non-IT
C-level executives – Non-IT
Mid-level managers – IT
Security operations staff
C-level executives – IT
Senior managers – IT
IT administrators
DesignatedPrivilegedUsers
SEGMENTATION OF USERS AND ZERO-TRUST APPROACH
Who are designated as privileged users at your organization? (select all that apply)
IT administrators are mentioned most often by respondents as being designated as privileged users at their
organization.
28
© 2020 Market Connections, Inc. © 2020 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED
Note: Multiple responses allowed
N= 397
41%
Have
Privileged
Users That
Are Non-IT
29. DesignatedPrivilegedUsersby OrganizationType
SEGMENTATION OF USERS AND ZERO-TRUST APPROACH
Who are designated as privileged users at your organization? (select all that apply)
Significantly more federal (particularly civilian) than other public
sector respondents note IT administrators are designated as privileged
users at their organization.
More federal and state and local (particularly state) than education
respondents (driven down by K-12) indicate security operations staff
are privileged users.
A larger proportion of education and state and local than federal
(driven down by civilian) respondents note C-level executives – non-IT.
A larger proportion of education respondents indicate senior
managers – non-IT.
More federal respondents (particularly civilian) note outside vendors,
partners, third parties – IT.
29
© 2020 Market Connections, Inc. © 2020 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED
Note: Multiple responses allowed
N= 397
= statistically significant difference
Federal
State &
Local
Education
IT administrators 68% 62% 50%
Security operations staff 48% 40% 27%
C-level executives – Non-IT 19% 33% 41%
Senior managers – Non-IT 20% 26% 37%
Outside vendors, partners,
third parties – IT
13% 4% 1%
State Local
Security operations staff 49% 27%
Defense Civilian
IT administrators 61% 75%
C-level executives – Non-IT 25% 13%
Outside vendors, partners, third parties – IT 7% 17%
K-12 Hi-Ed
Security operations staff 16% 38%
30. UsingaZero-TrustApproachto ITSecurity
SEGMENTATION OF USERS AND ZERO-TRUST APPROACH
Is your organization currently using or considering a Zero Trust approach to IT security? [MOUSE-OVER DEFINITION: Zero trust security means that no one is trusted by default from inside or outside the network, and verification is required
from everyone trying to gain access to resources on the network.]
Nearly one third have a formal strategy in place and are actively implementing the Zero-Trust approach. A
significantly larger proportion of state than local respondents are not using or considering a Zero-Trust approach.
30
© 2020 Market Connections, Inc. © 2020 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED
15%
24%
32%
30%
0% 5% 10% 15% 20% 25% 30% 35%
I don’t know/I’m not familiar with a Zero Trust
approach
No, we are not currently using or considering a Zero
Trust approach
Yes, we are modeling our approach based on Zero
Trust but there is no formal strategy in place
Yes, we have a formal strategy in place and are
actively implementing the approach
N=400 = statistically significant difference
State Local
No, we are not currently using or
considering a Zero Trust approach
37% 5%
31. 11%
14%
11%
7%
9%
13%
9%
8%
6%
10%
7%
25%
22%
20%
21%
17%
23%
15%
16%
18%
20%
18%
40%
40%
39%
39%
39%
37%
42%
42%
41%
40%
38%
18%
18%
23%
25%
26%
18%
25%
25%
25%
19%
25%
7%
7%
7%
8%
9%
10%
10%
10%
11%
12%
12%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Lack of out-of-the-box solutions available
User identity management (multiple identities)
Lack of policies and processes
Device management
Sprawling infrastructure
Leadership/executive resistance
Other IT initiatives take priority
Volume of network activity
Complexity of enterprise
Lack of IT/security staff expertise
Solutions are too costly
Not at all challenging Slightly challenging Moderately challenging Very challenging Extremely challenging
ChallengestoAdoptingaZero-TrustApproach
SEGMENTATION OF USERS AND ZERO-TRUST APPROACH
To what extent are each of the following a challenge that inhibits organizations from adopting a Zero Trust [MOUSE-OVER DEFINITION: Zero trust security means that no one is trusted by default from inside or outside the network, and
verification is required from everyone trying to gain access to resources on the network.] approach to IT security?
Solutions being too costly is the top challenge inhibiting organizations from adopting a Zero-Trust approach to IT
security.
31
© 2020 Market Connections, Inc. © 2020 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED
N=400
% Extremely/
Very Challenging
37%
30%
35%
35%
35%
27%
35%
33%
30%
24%
25%
32. Challenges toAdopting aZero-Trust Approach byOrganization Type
SEGMENTATION OF USERS AND ZERO-TRUST APPROACH
To what extent are each of the following a challenge that inhibits organizations from adopting a Zero Trust [MOUSE-OVER DEFINITION: Zero trust security means that no one is trusted by default from inside or outside the network, and
verification is required from everyone trying to gain access to resources on the network.] approach to IT security?
Complexity of the enterprise is noted as a challenge to
adopting a Zero-Trust approach to IT security significantly
more often by federal than other public sector respondents.
More state than local respondents indicate complexity of
the enterprise and lack of polices and processes are
challenges.
More K-12 than Hi-Ed respondents indicate lack of
IT/security staff expertise and leadership/executive
resistance are challenges.
32
© 2020 Market Connections, Inc. © 2020 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED
N=400
% Extremely/Very Challenging Federal
State &
Local
Education
Complexity of enterprise 41% 28% 32%
= statistically significant difference
% Extremely/Very Challenging State Local
Complexity of enterprise 37% 15%
Lack of policies and processes 44% 7%
% Extremely/Very Challenging K-12 Hi-Ed
Lack of IT/security staff expertise 37% 19%
Leadership/executive resistance 37% 15%
33. RiskAssociatedWithUserTypes
SEGMENTATION OF USERS AND ZERO-TRUST APPROACH
How would you rate the perceived risk associated with the following types of users as it pertains to IT security, access rights and the potential threat?
Although only rated by education respondents, students are the highest risk to IT security. Overall, citizens
accessing free Wi-Fi in public buildings, temporary employees/contractors (non-IT), and outside vendors, partners,
and third parties are also noted as some of the highest risk users.
33
© 2020 Market Connections, Inc. © 2020 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED
N=400
1%
1%
1%
1%
1%
1%
2%
2%
7%
2%
7%
7%
7%
10%
4%
6%
4%
4%
11%
3%
34%
34%
34%
33%
20%
22%
17%
22%
18%
9%
37%
36%
30%
31%
44%
34%
37%
32%
27%
37%
15%
16%
21%
17%
22%
26%
24%
26%
17%
25%
6%
7%
8%
9%
10%
12%
16%
16%
21%
24%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Mid-level managers
Other IT personnel
Senior leadership/executives
System administrators
Other employees
Temporary employees/contractors (IT-focused)
Outside vendors, partners, third parties
Temporary employees/contractors (non-IT)
Citizens accessing free Wi-Fi in public buildings
Students [education only]
NA None Low Moderate High Very highPerceived Risk:
% Very High/
High
49%
38%
41%
40%
38%
31%
25%
29%
23%
21%
34. RiskAssociatedWithUserTypesbyOrganizationType
SEGMENTATION OF USERS AND ZERO-TRUST APPROACH
How would you rate the perceived risk associated with the following types of users as it pertains to IT security, access rights and the potential threat?
Federal respondents rate the perceived risk associated with
temporary employees/contractors (both non-IT and IT-focused)
and outside vendors, partners, and third parties higher than
other public sector respondents' ratings.
Four in ten federal and state and local government respondents
note temporary employees/contractors and outside vendors,
partners, and third parties as the greatest risks to security.
Education respondents rate citizens accessing free Wi-Fi in
public buildings riskier than other public sector respondents'
ratings.
More state than local respondents find temporary
employees/contractors (both non-IT and IT-focused) and
outside vendors, partners, and third parties risky.
34
© 2020 Market Connections, Inc. © 2020 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED
N=400
% Very High/High Federal
State &
Local
Education
Temporary employees/contractors
(non-IT)
45% 41% 33%
Temporary employees/contractors
(IT-focused)
45% 38% 25%
Outside vendors, partners, third
parties
47% 40% 28%
Citizens accessing free Wi-Fi in
public buildings
36% 31% 49%
= statistically significant difference
% Very High/High State Local
Temporary employees/contractors
(non-IT)
53% 24%
Temporary employees/contractors
(IT-focused)
54% 15%
Outside vendors, partners, third
parties
51% 24%
35. UsersMostatRiskforDoingHarm
SEGMENTATION OF USERS AND ZERO-TRUST APPROACH
What percent of your organization's users do you estimate to be most at risk for potentially doing harm (either careless or malicious) to your organization?
The majority estimate 10 percent or less of their organization's users are most at risk for potentially doing harm
(either careless or malicious) to their organization.
35
© 2020 Market Connections, Inc. © 2020 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED
3%
1%
1%
2%
3%
4%
6%
11%
16%
22%
29%
2%
0% 5% 10% 15% 20% 25% 30% 35%
Unsure
100%
71 – 99%
61 – 70%
51 – 60%
41 – 50%
31 – 40%
21 – 30%
11 – 20%
6 – 10%
< 5%
Zero
N=400
Federal
State &
Local
Education
< 5% 32% 33% 20%
= statistically significant difference
53%
36. Effectivenessof Toolsto FosterSecurity
USE AND EVALUATION OF TOOLS
The following are tools and practices that foster network and application security. Please indicate the effectiveness for each at your organization.
Endpoint security software is the highest rated tool for effectively fostering network and application security.
36
© 2020 Market Connections, Inc. © 2020 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED
N=400
9%
9%
8%
4%
6%
4%
7%
12%
3%
6%
4%
3%
11%
12%
9%
9%
8%
10%
8%
9%
11%
7%
7%
7%
47%
45%
45%
48%
46%
44%
42%
33%
40%
39%
40%
39%
33%
35%
39%
39%
40%
42%
43%
45%
47%
49%
50%
52%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
File integrity monitoring software
Messaging security software
Security information event management (SIEM) software
Configuration management software
Vulnerability management software
Web application security tools
Network admission control (NAC) solutions
Smart card/Common access card for authentication
Patch management software
Password management tools
Identity and access management tools
Endpoint security software
Do not use Low Moderate HighEffectiveness:
37. % High State Local
Identity and access management tools 53% 27%
Smart card/Common access card for
authentication
39% 17%
% High K-12 Hi-Ed
Messaging security software 21% 46%
% High Defense Civilian
Network admission control (NAC) solutions 56% 42%
Effectivenessof ToolsbyOrganizationType
USE AND EVALUATION OF TOOLS
The following are tools and practices that foster network and application security. Please indicate the effectiveness for each at your organization.
More federal than other respondents indicate endpoint
security software, identity and access management tools,
patch management software, smart cards, and network
admissions control solutions are highly effective at fostering
network and application security at their organization.
A larger proportion of defense than civilian respondents
indicate NAC solutions are highly effective.
More state than local respondents indicate identity and
access management tools and smart cards/common access
cards for authentication are effective.
A larger proportion of Hi-Ed than K-12 respondents indicate
messaging security software is effective.
37
© 2020 Market Connections, Inc. © 2020 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED
N=400
% High Federal
State &
Local
Education
Endpoint security software 57% 41% 51%
Identity and access management
tools
56% 42% 48%
Patch management software 51% 48% 37%
Smart card/Common access card
for authentication
65% 30% 21%
Network admission control (NAC)
solutions
49% 35% 39%
= statistically significant difference
38. 38VERBATIM COMMENTS
A major ongoing challenge is
integrating security protocols
without detriment to network
latency and response times.
IT AND NETWORK SYSTEMS
OPERATIONS MANAGER, DEFENSE
“ Security is everyone's job, but
holding the team accountable is
lacking. Until there are real
individual accountability regimens
in place, the network will remain at
risk.
DIVISION CHIEF, FEDERAL CIVILIAN
“
Not enough manpower,
money, or resources. Waiting for a
ticking bomb to go off.
CTO, K-12
“
Unfortunately, budget
constraints and operational red
tape prevents things from being as
secure and efficient as they need to
be.
IT MANAGER, K-12
“
Please feel free to share any other comments or concerns regarding your organization’s unique security challenges or success stories.
ExamplesofComments
Everything starts at the top. If
C-level doesn't put an emphasis on
security, it puts us at risk.
IT MANAGER, LOCAL GOV
“
Because it is the government
sector and government contracts
are at play. I think that there is a
ceiling when it comes to looking at
innovative, out-of-the-box
alternatives.
SYSTEMS ADMINISTRATOR,
FEDERAL CIVILIAN
“ Meeting the online needs of
12,000 plus students always
presents challenging security
issues, but we have been able to
manage without a major event so
far.
VP OPERATIONS, HI-ED
“
Our organization operates in
denial with a preference for
reactionary behavior instead of
operating proactively. Government
agencies tend to view IT spending
as throwing money into a black
hole until something occurs.
SR. IT PROJECT MANAGER AND
ANALYST, STATE GOV
“
© 2020 Market Connections, Inc. © 2020 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED
Greatest challenge is always
protecting data from malware and
attacks from both internal and
external users.
DIRECTOR, STATE GOV
“
39. Key Takeaways
The federal audience tends
to be more mature than
state and local and
education audiences in its
IT security capabilities.
• Federal respondents’ ratings are significantly more mature than state
and local and education respondents in many cybersecurity capabilities.
State respondents also tend to be more mature in their capabilities than
local respondents, and Hi-Ed respondents are more mature than K-12.
• Significantly more federal than other public sector respondents think
compliance mandates or regulations and investment in training for
employees have impacted their organization’s evolution of its IT security
policies and practices.
• More federal than other public sector respondents say their users’
access to systems and data are formally segmented according to the
level of risk associated with the user.
• More federal than other public sector respondents indicate endpoint
security software, identity and access management tools, patch
management software, smart cards, and network admissions control
solutions are highly effective at fostering network and application
security at their organization.
39
© 2020 Market Connections, Inc. © 2020 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED
40. Key Takeaways
Budget constraints is the
most significant high-level
obstacle to maintaining or
improving IT security in
public sector organizations.
• Budget constraints top the list of significant obstacles to maintaining
or improving organization IT security for all public sector groups, and
significantly more so for education respondents (driven by K-12).
• Budget constraints have declined since 2014 for the federal audience,
but still remain the top obstacle.
• Solutions being too costly is the top challenge that inhibits
organizations from adopting a Zero-Trust approach to IT security.
40
© 2020 Market Connections, Inc. © 2020 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED
41. Key Takeaways
Complexity of the
environment is one of the
top challenges to improving
IT security, adopting a Zero-
Trust approach, and user
segmentation.
• Complexity of the internal environment is the second most significant
high-level obstacle to maintaining or improving IT security. Federal
respondents indicate the complexity of the internal environment
more than other public sector respondents do. The complexity of the
internal environment as an obstacle has increased since 2014 for the
federal audience.
• Complexity of the enterprise is one of the top challenges that inhibit
organizations from adopting a Zero-Trust approach to IT security.
• The growing number of systems users need access to, an increased
number of devices, and a growing number of users are the top
challenges organizations face when segmenting users by their level of
associated risk.
41
© 2020 Market Connections, Inc. © 2020 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED
42. Key Takeaways
The majority note careless/
untrained insiders as the
greatest source of IT
security threats at their
organization. But overall,
most feel their organization
is keeping up with threats.
• Over half note careless/untrained insiders as the largest source of
security threats.
• Students, citizens accessing free Wi-Fi in public buildings, temporary
employees/contractors (non-IT), and outside vendors, partners, and
third parties are noted as some of the highest risk users to IT security.
• The majority estimate 10 percent or less of their organization's users
are most at risk for potentially doing harm (either careless or
malicious) to their organization.
• Regardless of the method being used to source their organization’s IT
security operations (in-house staff, outsourced to a managed security
service provider, or on-site contractor), most are confident they are
keeping up with today’s evolving threats.
42
© 2020 Market Connections, Inc. © 2020 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED
43. Contact
Information
Laurie Morrow, VP, Research Strategy, Market Connections, Inc.
LaurieM@marketconnectionsinc.com
571-257-3845
Lisa M. Sherwin Wulf, Vice President of Americas Marketing –
ITOM, SolarWinds
Lisa.SherwinWulf@solarwinds.com
703-386-2628
www.solarwinds.com/government
LinkedIn: SolarWinds Government
43
© 2020 Market Connections, Inc. © 2020 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED
Elizabeth Lowery, Research Manager, Market Connections, Inc.
ElizabethL@marketconnectionsinc.com
703-972-5875