Commentary: Money can't buy security

The government must do much more to ensure the security of its information infrastructure--but just spending more isn't the answer.

3 min read
By John Pescatore, Gartner Analyst

A report on information-technology security by the U.S. Office of Management and Budget reveals weaknesses in every important area of most government agencies' approach to information security. The government must do much more to ensure the security of its information infrastructure--but just spending more isn't the answer.

On Feb. 13, 2002, the OMB released its first-ever evaluation of federal information security. The report, based on data submitted by 24 government agencies, concluded that "many agencies have significant deficiencies in every important area of security." OMB identified six areas of weakness:

 Lack of senior management attention.
 Lack of security education and awareness.
 Inadequate performance measurement.
 Failure to integrate security into capital planning and investment control.
 Poor security practices by outside contractors.
 Inadequate detection and reporting of vulnerabilities.

Significantly, the report found no correlation between the percentage of spending on security and the quality of security.

Gartner predicted that the average Fortune 1000 enterprise would spend 3.3 percent of its IT budget on security in 2001. The OMB report shows that the average government agency spent closer to 6 percent--and achieved abysmal results. This finding confirms Gartner CEO Michael Fleisher's recent statement that "the answer (to enterprise security) isn't simply to spend more. Successful companies won't necessarily be the ones that spend the most."

To be sure, many government agencies should increase spending in certain areas, including external security audits, the use of smart cards and awareness training.

However, as its first priority, the government should find ways to allocate the current level of funding more efficiently. To achieve this goal, Gartner recommends the appointment of a federal chief information security officer (CISO) responsible for the following:

 Defining security standards and policies for all nonmilitary agencies.

 Working with the General Services Administration to create master indefinite-delivery, indefinite-quantity support contracts with a certified pool of commercial security consultancies and managed service providers for government agencies to use.

 Driving federal agencies to outsource most routine security tasks, such as the management and monitoring of firewalls, and antiviral and intrusion detection systems.

See news story:
Security confab calls for U.S. spending
Gartner also recommends the appointment of a CISO for each government agency or department who would be responsible for enforcing consistent departmentwide security policies and ensuring that security audits and penetration testing are performed by outside contractors.

Finally, Gartner recommends that the OMB intensify enforcement of its guidelines requiring all IT projects to include sufficient funding to build security into new IT systems rather than add it later--an approach that has already proved disastrous. Gartner's conclusion is that just as you can't "test" security into a product after it is built, you can't "spend" security into an organization without changing the way the organization approaches security.

(For a related commentary on security issues, see gartner.com.)

Entire contents, Copyright © 2002 Gartner, Inc. All rights reserved. The information contained herein represents Gartner's initial commentary and analysis and has been obtained from sources believed to be reliable. Positions taken are subject to change as more information becomes available and further analysis is undertaken. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of the information. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof.