By John Moore
Jan. 2, 2007
The data breach the University of California at Los Angeles reported
last month marks the latest in a series of public-sector security lapses
that have kept information technology security top of mind among IT
The university disclosed Dec. 12 that a restricted database containing
names and Social Security numbers had been illegally accessed for more
than a year. The school said access attempts had been made since October
2005. UCLA notified all 800,000 people whose names were contained in the
database. The breach follows other data-loss incidents last year, such
as the loss of a Department of Veterans Affairs laptop computer
containing personal information on more than 25 million veterans.
An Accenture/IDC study, released days before the UCLA incident was
reported, shows security to be the main concern for the government IT
executives surveyed. More than 90 percent of the executives said
securing data is a priority for the new year. The next highest priority
was network infrastructure, identified by 80 percent of the respondents.
Security was clearly the top-priority area, said David Chen, a senior
executive and U.S. government technology consulting lead at Accenture.
But although security ranks as a high priority, it doesnt top the list
when it comes to IT investment. The study shows that on average, about
10 percent of the respondents IT budgets are earmarked for security.
Network, data center, operations and desktop expenditures each garnered
bigger slices of the budget.
Chen said security technology is less expensive in some respects than
other infrastructure elements when overall cost is considered. He cited
the expense of managing numerous desktop devices. Still, IT security
expenditures can be hard to justify when managers emphasize bottom-line
The impact of security investment can be difficult to quantify, Chen
said. Some of the agencies are still struggling with putting the right
amount of dollars behind security commensurate with the priority that it
really is, he added.
Industry executives suggested a couple of ways government IT managers
can help build the case for greater security investment.
Bryan Sartin, managing principal and security consultant in Cybertrusts
Investigative Response group, said executive leaders need to be educated
on the potential impact of a security breach. He suggested computer
incident response training for the chief executive officer, legal
counsel, human resources directors and other executives with a role in
He described such classes as a high-impact but inexpensive way to
communicate what can happen.
Chen also said IT managers can also try to demonstrate that a given
security investment enables a function that couldnt be safely
accomplished otherwise -- such as the ability to exchange information
between two departments.
Subscribe to InfoSec News