[Dataloss] Security grabs attention, but not always dollars (fwd)

security curmudgeon jericho at attrition.org
Wed Jan 3 03:55:42 EST 2007 


---------- Forwarded message ----------
From: InfoSec News <alerts at infosecnews.org>

http://www.fcw.com/article97197-01-02-07-Web

By John Moore
Jan. 2, 2007

The data breach the University of California at Los Angeles reported last 
month marks the latest in a series of public-sector security lapses that 
have kept information technology security top of mind among IT executives.

The university disclosed Dec. 12 that a restricted database containing 
names and Social Security numbers had been illegally accessed for more 
than a year. The school said access attempts had been made since October 
2005. UCLA notified all 800,000 people whose names were contained in the 
database. The breach follows other data-loss incidents last year, such as 
the loss of a Department of Veterans Affairs laptop computer containing 
personal information on more than 25 million veterans.

An Accenture/IDC study, released days before the UCLA incident was 
reported, shows security to be the main concern for the government IT 
executives surveyed. More than 90 percent of the executives said securing 
data is a priority for the new year. The next highest priority was network 
infrastructure, identified by 80 percent of the respondents.

Security was clearly the top-priority area, said David Chen, a senior 
executive and U.S. government technology consulting lead at Accenture.

But although security ranks as a high priority, it doesnt top the list 
when it comes to IT investment. The study shows that on average, about 10 
percent of the respondents IT budgets are earmarked for security. Network, 
data center, operations and desktop expenditures each garnered bigger 
slices of the budget.

Chen said security technology is less expensive in some respects than 
other infrastructure elements when overall cost is considered. He cited 
the expense of managing numerous desktop devices. Still, IT security 
expenditures can be hard to justify when managers emphasize bottom-line 
results.

The impact of security investment can be difficult to quantify, Chen said. 
Some of the agencies are still struggling with putting the right amount of 
dollars behind security commensurate with the priority that it really is, 
he added.

Industry executives suggested a couple of ways government IT managers can 
help build the case for greater security investment.

Bryan Sartin, managing principal and security consultant in Cybertrusts 
Investigative Response group, said executive leaders need to be educated 
on the potential impact of a security breach. He suggested computer 
incident response training for the chief executive officer, legal counsel, 
human resources directors and other executives with a role in incident 
response.

He described such classes as a high-impact but inexpensive way to 
communicate what can happen.

Chen also said IT managers can also try to demonstrate that a given 
security investment enables a function that couldnt be safely accomplished 
otherwise -- such as the ability to exchange information between two 
departments.

More information about the Dataloss mailing list