Security grabs attention, but not always dollars

The data breach the University of California at Los Angeles reported last month marks the latest in a series of public-sector security lapses that have kept information technology security top of mind among IT executives.

The university disclosed Dec. 12 that a restricted database containing names and Social Security numbers had been illegally accessed for more than a year. The school said access attempts had been made since October 2005. UCLA notified all 800,000 people whose names were contained in the database. The breach follows other data-loss incidents last year, such as the loss of a Department of Veterans Affairs laptop computer containing personal information on more than 25 million veterans.

An Accenture/IDC study, released days before the UCLA incident was reported, shows security to be the main concern for the government IT executives surveyed. More than 90 percent of the executives said securing data is a priority for the new year. The next highest priority was network infrastructure, identified by 80 percent of the respondents.

“Security was clearly the top-priority area,” said David Chen, a senior executive and U.S. government technology consulting lead at Accenture.

But although security ranks as a high priority, it doesn’t top the list when it comes to IT investment. The study shows that on average, about 10 percent of the respondents’ IT budgets are earmarked for security. Network, data center, operations and desktop expenditures each garnered bigger slices of the budget.

Chen said security technology is less expensive in some respects than other infrastructure elements when overall cost is considered. He cited the expense of managing numerous desktop devices. Still, IT security expenditures can be hard to justify when managers emphasize bottom-line results.

The impact of security investment can be difficult to quantify, Chen said. “Some of the agencies are still struggling with putting the right amount of dollars behind security commensurate with the priority that it really is,” he added.

Industry executives suggested a couple of ways government IT managers can help build the case for greater security investment.

Bryan Sartin, managing principal and security consultant in Cybertrust’s Investigative Response group, said executive leaders need to be educated on the potential impact of a security breach. He suggested computer incident response training for the chief executive officer, legal counsel, human resources directors and other executives with a role in incident response.

He described such classes as a “high-impact but inexpensive way to communicate what can happen.”

Chen also said IT managers can also try to demonstrate that a given security investment enables a function that couldn’t be safely accomplished otherwise -- such as the ability to exchange information between two departments.