As governments around the world grapple with IT security, the US National Association of State Chief Information Officers (NASCIO) has released a brief on making the business case for sustainable IT security funding.
NASCIO, which represents US state government CIOs, argues that the threats to state IT systems and the sensitive information within them seem to multiply and evolve as quickly as the technology itself develops. To keep pace with the proliferation of current and future IT security threats, state CIOs must clearly articulate the need for ongoing investment in IT security.
Entitled "The IT Security Business Case: Sustainable Funding to Manage the Risks," the research brief was developed by NASCIO's Information Security and Privacy Committee.
It takes a holistic approach to constructing the case for enterprise IT security investment by outlining the following steps for state CIOs: Understanding the state government's IT environment that drives the need for security, starting with an enterprise-wide IT risk assessment, as well as making the case for IT security through demonstrating the risks (bolstered by the IT risk assessment results), the benefits of security and how security aligns with the state's business needs.
At the NASCIO 2005 Midyear Conference, 89 percent of responding state CIOs ranked security among their top three most important issues. "And it only takes a short recitation of some of the statistics about the threats faced by states for the reason for the urgency to become apparent," the brief says. "For example, on an average day, Michigan blocks 22,059 spam emails, 21,702 email viruses, 4239 Web defacements, and 6 remote computer take-over attempts."
The brief was issued as the Australian government is reviewing its own e-security national agenda with the aim of creating a secure and trusted electronic operating environment for users.
The review is targeted at ensuring Australia is well prepared for the opportunities and challenges created by the convergence of communications, information technology and the Internet. The government notes the online landscape has changed significantly since the agenda was announced in September 2001 with the emergence of new technologies and more serious e-security attacks. Australia's security framework must be able to respond to these dangers.
Submissions from the public and industry closed on May 8, and the government is now considering its response.
The issue is more important than ever. As NASCIO said in a release, technology is pervasive both in the workplace and in the home. However, the threats to state IT systems and the sensitive information within them seem to multiply and evolve as quickly as the technology itself develops. To keep pace with the proliferation of current and future IT security threats, state CIOs must clearly and successfully articulate the need for ongoing investment in IT security.
"Security has always been a top priority for the state CIOs," said Mary Carroll, Ohio CIO and co-chair of NASCIO's Information Security and Privacy Committee. "Through this brief, we are helping to provide the state CIOs with strategies for obtaining ongoing, sustainable funding for IT security. Adequate IT security investment can help the state CIOs address and manage today's risks and also prepare for tomorrow's risks."
The brief incorporates concepts of risk management, stressing the importance of a thorough assessment and prioritization of potential risks that threaten state IT systems and resources. The IT risk assessment is an important tool in determining which IT security risks are the most critical. The state CIO can then use that information to support the case for adequate funding and then determine how funding can be strategically allocated to address those threats.
"Citizens place their trust in state government to protect IT infrastructure, provide reliable online services and protect the privacy of sensitive citizen information housed within state IT systems. The state CIOs play a key role in the preservation of this trust by ensuring adequate funding levels for state IT security. State CIOs will find this brief helpful in creating funding strategies for their IT security efforts," said Brenda Decker, Nebraska CIO, and co-chair of the Information Security and Privacy Committee.