Cyber security gets short shrift, say federal info tech managers.

• Author: Erwin, Sandra I.

A recent survey of federal information technology managers suggests that many government agencies are poorly prepared to cope with cyber attacks.

The survey paints a grim picture. It cites misdirected priorities in cyber-security programs and substandard quality in the software provided by commercial vendors.

This analysis, published by a government contractor, Intelligent Decisions Inc., was based on interviews with 25 of the total population of 117 federal agency chief information security officers.

"We were surprised" by the results of the survey, said Harry Martin, president of Intelligent Decisions.

Across the board, federal chief information security officers ranked "patch management" as their number-one security concern-pointing to shortfalls in the quality of commercial network-security products. Patch management software is used to protect corporate networks from Internet-based attacks.

Microsoft Windows operating systems, particularly, have many security holes, experts note. Hackers often exploit this vulnerability to steal information or program computers to distribute spam email. Every time a new Windows problem is discovered, Microsoft issues a "patch" to fix it. In companies or government organizations with many computers, it is difficult to ensure that the latest patch is installed on every computer, especially since Microsoft now releases patches on a bi-weekly basis.

Patch management software can make a cyber-security manager's job easier, because it automatically pushes out patches to every computer in a corporate network. Many software companies, including Microsoft, are getting into patch management software and targeting the government market. Federal IT managers in the survey expressed dissatisfaction with the quality of the products available.

"It is clearly time for private industry to get serious about software quality," said Martin.

The study also reveals a class divide among federal IT security officers-with those who control less than $500,000 on one side, and those whose annual budgets exceed $10 million on the other. "Half a million doesn't buy you a whole lot in today's IT security world, particularly for a large agency," he noted.

The security "have-nots" are loaded down with administrative tasks and unable to address "strategic security management functions," noted Ted Ritter, director of cyber-security at Intelligent Decisions. These officers devote 45 percent of their time to compliance paperwork...