[ISN] Security grabs attention, but not always dollars

From: InfoSec News (alerts@private)
Date: Tue Jan 02 2007 - 22:16:55 PST


By John Moore
Jan. 2, 2007

The data breach the University of California at Los Angeles reported 
last month marks the latest in a series of public-sector security lapses 
that have kept information technology security top of mind among IT 

The university disclosed Dec. 12 that a restricted database containing 
names and Social Security numbers had been illegally accessed for more 
than a year. The school said access attempts had been made since October 
2005. UCLA notified all 800,000 people whose names were contained in the 
database. The breach follows other data-loss incidents last year, such 
as the loss of a Department of Veterans Affairs laptop computer 
containing personal information on more than 25 million veterans.

An Accenture/IDC study, released days before the UCLA incident was 
reported, shows security to be the main concern for the government IT 
executives surveyed. More than 90 percent of the executives said 
securing data is a priority for the new year. The next highest priority 
was network infrastructure, identified by 80 percent of the respondents.

Security was clearly the top-priority area, said David Chen, a senior 
executive and U.S. government technology consulting lead at Accenture.

But although security ranks as a high priority, it doesnt top the list 
when it comes to IT investment. The study shows that on average, about 
10 percent of the respondents IT budgets are earmarked for security. 
Network, data center, operations and desktop expenditures each garnered 
bigger slices of the budget.

Chen said security technology is less expensive in some respects than 
other infrastructure elements when overall cost is considered. He cited 
the expense of managing numerous desktop devices. Still, IT security 
expenditures can be hard to justify when managers emphasize bottom-line 

The impact of security investment can be difficult to quantify, Chen 
said. Some of the agencies are still struggling with putting the right 
amount of dollars behind security commensurate with the priority that it 
really is, he added.

Industry executives suggested a couple of ways government IT managers 
can help build the case for greater security investment.

Bryan Sartin, managing principal and security consultant in Cybertrusts 
Investigative Response group, said executive leaders need to be educated 
on the potential impact of a security breach. He suggested computer 
incident response training for the chief executive officer, legal 
counsel, human resources directors and other executives with a role in 
incident response.

He described such classes as a high-impact but inexpensive way to 
communicate what can happen.

Chen also said IT managers can also try to demonstrate that a given 
security investment enables a function that couldnt be safely 
accomplished otherwise -- such as the ability to exchange information 
between two departments.

Subscribe to InfoSec News

This archive was generated by hypermail 2.1.3 : Tue Jan 02 2007 - 22:30:02 PST