Letter to the editor
Why is information technology security a problem? Nothing gets management's attention unless it is bleeding or causing adverse publicity. Therefore, IT security will get no attention unless it is causing mission problems or getting bad publicity. Management will not give resources to anything that doesn't "squeak" louder than other issues.
No agency is doing a decent job of training personnel in IT security issues. High cost; therefore, only token effort.
Note: The Computer Security Act has been in effect for 15 years, but to this day, most agencies have (at best) implemented only small pieces of the requirements of this act. Life cycle management — truly integrating IT security into the whole process — isn't happening.
Congress does a great job of mandating certain actions or activities, then providing zero resources to the agencies to actually implement the activities. If the Hill truly wants something done, they must be prepared to fund them. They can always find resources for some pork project that only benefits a few representatives or senators.
Very few agencies have a comprehensive IT security policies and procedures document. Fewer still have actually communicated that document to the offices that must implement it. Fewer still provide the authority to the IT security manager to enforce the implementation.
So, why do we have problems with IT security??? Sigh!
Too many managers think that IT security is firewalls or intrusion-detection systems. It isn't. There are several others that are important, but you get the idea.
Name withheld by request