State CIOs point to insiders as major IT threat

Published 19 April 2007

NASCIO study finds that most risks stem from inattentiveness and management failure; group advocates cooperation between CIOs, human resources, and executive staff

The National Association of State CIOs (NASCIO) is not known for philosophical discourse, but in assessing IT security threats, the organazation is perfectly Delphic: Know thyself. According to NASCIO, state government chief information officers need to ensure that in their efforts to fight external risks they do not overolook potential danger from their own employees and contractors. “We’ve always had the focus on the perimeter, but everyone is beginning to take a strong focus on what is inside now,” said Tom Jarrett, Delaware’s CIO and co-chairman of NASCIO’s Security and Privacy Committee. “We’re beginning to do a lot of work to get people to understand that they have to be as cautious, if not more cautious, about issues inside the perimeter than they do outside the perimeter.”

Most interestingly, although NASCIO cites malicious employees as a prime security risk, most of the danger, it says, comes from inattentiveness, complaiscene, and ignorance — both on the part of the employee and the IT staff. Security breaches, the report found, “tend to stem from a general lack of attention to standard business processes rather than from a malicious intent to cause harm.” Solving the issue, then, requires a two-pronged approach: audits of employee computers to detect fraud and theft; and a comprehensive and cooperative relationship between state executive management, human resources, and the state CIO. To take just one example, FCW reports that “Delaware last year required all network administrators in the state to go through a training and testing regimen that included IT security.”