Most federal chief information security officers aren't losing sleep over a poorly trained workforce--but maybe they should be.

When asked to rank what they consider the most severe threat to security, 27 percent of federal CISOs surveyed identified exploitable software vulnerabilities and 24 percent pointed to malicious insider activity, according to a report from (ISC)².

Only 12 percent of federal CISOs worry about poorly trained users. According to an April 2010 study by the Ponemon Institute, 40 percent of all data breaches in the United States are the result of negligence, however a comparable statistic for the federal space is unavailable.

"Most of the data leakage, that I've seen over the years, has been from untrained users and poorly-trained users," said Fred Newberry, client solutions director of Cisco's Cyber Security National Programs at an August 11 panel on the National Initiative for Cybersecurity Education, hosted by the National Institute of Standards and Technology in Gaithersburg, Md.

"The term 'borderless networks' is becoming more and more common," said Newberry. "You just can't put a border around your networks anymore. It used to be that you could secure the perimeter and we could go home at night feel real safe. We know better than that, now."

Newberry said that a poorly trained workforce is the most convenient door into an agency's network. As younger employees join the workforce, they demand social media--which has many benefits, said Newberry, but also presents vulnerabilities.

The Computer Security Act of 1987 requires federal agencies to "provide for the mandatory periodic training in computer security awareness and accepted computer security practices of all persons who are involved with the management, use, or operation of each Federal computer system within or under the supervision of that agency."

At the NIST event, Hord Tipton, executive director of (ISC)², estimated that most federal employees only get an hour of training per year, under FISMA requirements.

Several attendees expressed frustration about careless activity by employees, which often puts the network at risk. "I think we could all benefit from something that's a little bit stricter," said one attendee referring to the average one-hour training, while addressing the panel.

The discrepancy between the lack of concern over employee training from federal CISOs in the survey and the actual risk presented by poorly-trained users may be due to the changing role of the federal CISO.

According to the survey, "half of the CISOs see their jobs taking on more managerial, policy and political elements on top of their existing technical duties."

CISOs in both the private sector and government are becoming more managerial, explained panelist Patty Edfors, principal, Banrion Consulting. Very few are actually getting their hands dirty, which is not necessarily a good thing, she added.

"If the leadership team gets farther and farther away from the technology and more on the answering of C-suite questions," Edfors said. "You get farther and farther away from risk, and the definition of risk and the identification of risk."

For more:
- see the (ISC)² study of CISOs here (.pdf) (reg. req.)

Related Articles:
NIST encourages agencies to adopt SCAP
Federal government lacks clear cybersecurity strategy, says GAO
Guest Commentary: Bruce Brody on FISMA reform
DOT CIO thinks small
Bottom Up Review promises a more active DHS in federal cybersecurity