IT Security Budgets Hold Firm

Despite the tough economic climate over the past 18 months, public-sector organizations are shoring up resources devoted to IT security, according to new research from PricewaterhouseCoopers.

In fact, the downturn raised concerns about the potential for increased breaches. For the first time in the 11 years that PwC has conducted an IT security survey, the state of the economy ranked among the top drivers of public-sector security initiatives. It was fourth behind internal policies, regulatory compliance, and disaster recovery and continuity of operations.

It’s rare that security fails to be mentioned at some point during almost any tech briefing or CIO event. For instance, the crucial nature of security and keeping it top of mind came up this week during a CIO panel at the 2009 Geospatial Intelligence Foundation Symposium in San Antonio.

“We are doing a lot of work in identity and access management,” says Kelly Miller, deputy CIO for the National Security Agency. The reason? “So that we can again balance the risk of who has access to the common data that we are looking for and the common repositories and still maintain a security posture that is acceptable to us across all of our security domains.”

Keeping Resources Secure

Of the 899 government officers who responded to the PcW survey (37 percent in North America), little more than half noted that “the increased risk environment has elevated the role and importance of the information security function.” An equal number, however, pointed out that cost-reduction efforts have made it more difficult to achieve security targets.

Even so, only 15 percent of public-sector respondents reported that they had reduced spending on security, and those cuts were in the range of 10 percent or less. (In all, the survey included responses from 7,200 executives worldwide.)

“It appears that some public-sector organizations are reluctant to cut too deeply into security — and may, to some extent, be protecting the security function’s budget,” the survey report points out.

By comparing the data from this year with that from 2008, PwC identified some increase in efforts around security. Respondents were asked if they had done the following:

• Employ a chief information security officer: 39 percent said yes in 2008; 48 percent this year.
• Employ a chief privacy officer: 24 percent in 2008; 30 percent this year.
• Integrate physical and IT security staffs: 38 percent had done so last year; 46 percent did so this year.
• Have accurate inventory of where data is stored: 29 percent in 2008; 34 percent this year.
• Have a third party conduct risk audits: 27 percent last year; 37 percent in 2009.
• Automatically de-provision user accounts: 25 percent were doing so in 2008; 31 percent do so today.
• Audit third parties that handle personal data: 24 percent did this last year; 34 percent this year.

Yet, the data suggests that the most troubling factor remains what organizations don’t know. Even given increases in focused security initiatives, one out of every two government officials who responded to the survey said they did not know if the total number of security incidents has risen.

A chief factor in this challenge could well be the rising demand for services and access to data by users. During the GEOINT panel, Miller referred to this as a “huge appetite” among the federal government’s users of intelligence data.

Priscilla Guthrie, Intelligence Community CIO for the Office of the Director of National Intelligence, added that keeping pace with rising data demands and dealing with potential threats “is going to require us to do risk management sometimes in near real time. And that is something, again, that is a little different from what we’ve had to deal with as a community.”