Dibya Sarkar of FierceGovernmentIT on a recently completed survey by ISC(2) grading US government cyber security extremely low by its very own federal employees:

Despite making major cybersecurity investments through policies, guidance and tools, the U.S. government hasn’t improved its security posture over the last two years, according to a May 14 survey of more than 1,800 federal information security professionals.

According to the International Information System Security Certification Consortium’s bi-annual survey, nearly half the respondents said the government is seeing little to no return on such security investments, while 17 percent said their organization’s security posture is even worse – which is 5 percent higher than what respondents said in a 2013 survey.

Eighty percent of respondents said the top reason for the reduced security was the U.S. government’s inability to keep pace with threats. They also said there’s a poor understanding of risk management across the federal space (73 percent), inadequate funding for security projects (71 percent) and a dearth of qualified security professionals (70 percent).

No surprises there.

I witnessed this firsthand when I was a civil service employee. There really is a poor understanding of cyber security and risk management by most in the federal government, and this is what leads directly to inadequate funding. If leadership does not adequately understand the problem, they will never set aside enough budget to solve the issues. It all boils down to speaking their language and articulating the needs in a manner they comprehend.