Overcoming Security Funding Roadblocks

This article is an excerpt from an upcoming feature, the full version of which will appear this fall in Public CIO magazine  and Web site.

While a security breach is a frightening threat for public CIOs, governments constantly lack enough funding for IT security. Security is one of the least understood management functions, and therefore never receives enough funding to fully protect an organization's critical information. Outlined below are a few key actions CIOs must take to ensure IT security gets the budget it deserves:

• Increase Appreciation of Security's Significance -- Many executives are wary of shelling out big dollars for IT security. Some believe media coverage of cyber-security stories are exaggerated, with skepticism increasing since Y2K. Others believe industry is trying to scare officials in order to increase product sales. In reality, cyber-security incidents are on the rise, and CIOs must be made aware of the importance of security management.
• Quantify the Real Cost of a Security Breach -- One way to increase an IT security budget is to show executives how taking precautionary security measures can actually save an organization money. Proactive security activities are usually much less expensive than reactive measures -- with the latter, costs include notifying people of the breach, and supplying free services to those exposed to identity threats. There are other, more qualitative costs that must be included with reactive measures --- with a security breach, there is a loss of trust that may require costly changes in the long run, including the implementation of new and expensive programs.
• IT Management Must Appreciate the Importance of Security -- IT management often views security as an obstacle that drains their budget and takes up valuable time. However, IT personnel should understand that, with property security, they can actually reduce the time they spend focusing on risk management. Enterprise security systems can automate processes and regulate daily network activity, saving employees time and labor. With proactive security activities, IT management will also avoid the hassle of cleaning up after a security breach.
• Make All Employees Aware of Security -- Many organizations suffer from a poor understanding of security among all personnel, greatly contributing to the human-error factor in security breaches. CIOs must make sure all employees are security-minded, through IT security training for new employees and education on how their computer use can affect the security of the entire organization.
• Understand the Best Practices for Technology Adoption -- Adopting security measures is only the first step to staying protected; CIOs and employees must understand how to implement security solutions, and at what scale, in order to protect all of a government's critical information. While following the security mandates required by the federal Office of Management and Budget is a start, this is only the bare minimum for many agencies. Each organization has unique information to protect, and must understand what security measures will best secure their individual agency.

The Bottom Line:
Proactive cyber security can ultimately save agencies money, labor, and time. However, these facts are not yet understood by everyone in the public sector. CIOs must improve upon appreciation, awareness, and adoption in order to make any headway during budget negotiations. Public sector organizations must change how they think about security in order to keep data secure and protect citizens.

Mark Rutledge is the former CIO of Kentucky.