Securing Security Dollars
IT security projects are continually under-funded, despite being a top concern for 2007. Here’s how to make the case for security investment.
It's one of the paradoxes of the technology world: IT security continues to gain visibility as a pressing issue, but the funding for improved data protection doesn’t always flow.
Two recent surveys illustrate this situation. In its
2006 Higher Education IT Security Report Card, CDW-G reported that 84 percent of surveyed higher ed IT directors and managers considered IT security one of their top-five priorities. But less than half of respondents said their executive administrators view IT security with the same sense of urgency. Eighty-one percent of respondents said their IT security budget allocations provide less than what they need. Meanwhile, an Accenture study,
Enabling High Performance With Next Generation Infrastructure, showed that more than 90 percent of surveyed government and education IT executives listed security as one of their top two IT priorities for 2007. Yet only about 10 percent of respondents’ IT budgets have been earmarked for security.
Interestingly, since getting the funds to bolster security would seem to be an easy sell: News reports continue to document credibility-damaging data breaches affecting higher education. Last year, the University of California- Los Angeles, for one, reported that a database containing personal information on hundreds of thousands of students had been illegally accessed over a period of months.
UCLA is hardly alone: CDW-G’s survey reveals that more than half of higher education IT personnel experienced at least one IT security incident in the last year, and one third reported lost, stolen, or exposed data. CJ Spallitta, VP of global services at security services firm
Cybertrust, says universities tend to be more susceptible to security incidents than other enterprises. Because universities posses data types that attract identity thieves—such as student names, Social Security numbers, and banking information—they are almost the perfect target, explains Spallitta. Plus, he says, “historically there has been an environment of openness and collaboration, and also budget constraints,” making higher ed especially vulnerable.
Stating Your Case Building the case for security investment requires an ongoing dialogue between the IT department and an institution’s senior administration. When it comes to obtaining security funding, “a lot goes back to communication between those two groups,” says Joe Sartin, senior manager for higher education sales at CDW-G. At budget time, items that are “top of mind day in and day out tend to be where the money flows,” he adds. If security doesn’t have a high enough profile, the topic may not come up until something bad happens—which, essentially, is too late.
Administration officials “might not understand what the IT group and the security team is going through,” Sartin suggests; a problem that can be addressed with some internal marketing. Some security consultants suggest using an education campaign to raise awareness. That campaign should highlight the importance of investing in security, from a risk management standpoint. “Explain what happens out there and why universities are good targets,” Spallitta advises.
While universities can hire a consultant to put together the internal marketing campaign (at a cost), the IT department itself should already have the metrics to illustrate the need for security dollars. Products such as intrusion detection systems, for example, flag security events. IT managers can periodically cull event data and then present top management with a high-level overview of what they’re up against. Presenting hard numbers—recording the frequency of attacks against a particular IT asset or detailing the amount of overtime paid to have a firewall monitored—can help get IT security funding off the back burner.
IT managers can also emphasize worst-case scenarios to motivate balking administrators. The scare tactic might capture the attention of executives who don’t wish to see their names in the paper for endangering the identities of hundreds or thousands of students, Spallitta points out. Still, horror stories may not impress university leaders convinced that data breaches only happen to somebody else. Sartin says IT managers need to drive the point home that although serious incidents may not be daily occurrences, the risk grows greater daily.
Spallita, meanwhile, notes that regulatory compliance is a key driver behind security efforts in the enterprise world, and may also provide an angle in the higher ed sector. Security managers, he says, can go to their boards and make a case for investment from the compliance perspective. Indeed, many universities still need to deal with the security and privacy provisions of the
Health Insurance Portability and Accountability Act. In addition, the
Payment Card Industry’s Data Security Standard applies to schools that handle credit card data.
The Grant Angle Grants may also provide IT security funding, albeit indirectly.
Kristin DeProspero, grants director at
Polycom, a collaborative communications vendor, says the grant programs she is familiar with don’t fund IT security as an independent item. Instead, grants usually cover broader areas such as distance learning.
But in a few cases, grants will help pay for infrastructure, such as security, if it’s part of a larger project. DeProspero cites as an example the US Department of Agriculture’s
Distance Learning and Telemedicine Program, a grant program that applies to entities located in rural areas. Security funding can be included if the project proposed in the grant application meets the program’s distance learning or telemedicine requirement.
Though such government grants tack on IT security as part of a broader program, they may not help when security is a pressing need. Timing can be an issue, but while the government grant process could take 18 months, a private sector grant might be awarded in a couple of months.
Schools should consider turning to vendors for help navigating the grant-seeking process. For example, Polycom’s
Grant Assistance Program offers both human resources and financial support. Among other benefits, the program provides one-on-one advice on the grant process and up to $1,500 toward grant writer fees.