According to a new report from the US Government Accountability Office (GAO), US federal agencies have implemented just 40 percent of the 335 cybersecurity recommendations made by GAO since 2010. The report, Cybersecurity High-Risk Series: Challenges in Establishing a Comprehensive Cybersecurity Strategy and Performing Effective Oversight, is the first of four planned reports examining the government’s development and implementation of cybersecurity policy.
Note
- It is tempting to skip over this “evergreen” item – government agencies not implementing audit recommendations is not news. But, I have to point out that GAO/OMB always never seem to address the root problem of ” Why?” Instead, it is always an immediately jump to “a more comprehensive strategy” is needed at the top, vs. what really are the obstacles facing government CISOs and SOC managers who do want to improve cybersecurity and why some agencies *are* able to stay safe and score well.
- One would hope that implementing fundamental recommendations would obviate others even though it decreased the number of boxes checked. Checking boxes is not an efficient way to achieve quality. Unchecked boxes are not necessarily an indicator of poor quality.
Read more in
