Making the Case for Security

NASCIO, which represents US state government CIOs, argues thatthe threats to state IT systems and the sensitive informationwithin them seem to multiply and evolve as quickly as thetechnology itself develops. To keep pace with the proliferation ofcurrent and future IT security threats, state CIOs must clearlyarticulate the need for ongoing investment in IT security.

Entitled “The IT Security Business Case: Sustainable Funding toManage the Risks,” the research brief was developed by NASCIO’sInformation Security and Privacy Committee.

It takes a holistic approach to constructing the case forenterprise IT security investment by outlining the following stepsfor state CIOs: Understanding the state government’s IT environmentthat drives the need for security, starting with an enterprise-wideIT risk assessment, as well as making the case for IT securitythrough demonstrating the risks (bolstered by the IT riskassessment results), the benefits of security and how securityaligns with the state’s business needs.

At the NASCIO 2005 Midyear Conference, 89 percent of respondingstate CIOs ranked security among their top three most importantissues. “And it only takes a short recitation of some of thestatistics about the threats faced by states for the reason for theurgency to become apparent,” the brief says. “For example, on anaverage day, Michigan blocks 22,059 spam emails, 21,702 emailviruses, 4239 Web defacements, and 6 remote computer take-overattempts.”

The brief was issued as the Australian government is reviewingits own e-security national agenda with the aim of creating asecure and trusted electronic operating environment for users.

The review is targeted at ensuring Australia is well preparedfor the opportunities and challenges created by the convergence ofcommunications, information technology and the Internet. Thegovernment notes the online landscape has changed significantlysince the agenda was announced in September 2001 with the emergenceof new technologies and more serious e-security attacks.Australia’s security framework must be able to respond to thesedangers.

Submissions from the public and industry closed on May 8, andthe government is now considering its response.

The issue is more important than ever. As NASCIO said in arelease, technology is pervasive both in the workplace and in thehome. However, the threats to state IT systems and the sensitiveinformation within them seem to multiply and evolve as quickly asthe technology itself develops. To keep pace with the proliferationof current and future IT security threats, state CIOs must clearlyand successfully articulate the need for ongoing investment in ITsecurity.

“Security has always been a top priority for the state CIOs,”said Mary Carroll, Ohio CIO and co-chair of NASCIO’s InformationSecurity and Privacy Committee. “Through this brief, we are helpingto provide the state CIOs with strategies for obtaining ongoing,sustainable funding for IT security. Adequate IT securityinvestment can help the state CIOs address and manage today’s risksand also prepare for tomorrow’s risks.”

The brief incorporates concepts of risk management, stressingthe importance of a thorough assessment and prioritization ofpotential risks that threaten state IT systems and resources. TheIT risk assessment is an important tool in determining which ITsecurity risks are the most critical. The state CIO can then usethat information to support the case for adequate funding and thendetermine how funding can be strategically allocated to addressthose threats.

“Citizens place their trust in state government to protect ITinfrastructure, provide reliable online services and protect theprivacy of sensitive citizen information housed within state ITsystems. The state CIOs play a key role in the preservation of thistrust by ensuring adequate funding levels for state IT security.State CIOs will find this brief helpful in creating fundingstrategies for their IT security efforts,” said Brenda Decker,Nebraska CIO, and co-chair of the Information Security and PrivacyCommittee.