Updated: 8.5.2002; 0:56:36 GMT.

Security weblog



daily link  Tuesday, April 2, 2002

US Federal Govt to Catch Up In Security in 3 years?

US Federal Govt to Catch Up With Security in 3 years?

"The history of government trying to achieve IT security is a sad one ... Improving federal IT security will take three to five years of continuous attention, before we get into a comfort zone."

Well, I am curious to see this one! Let's have a look at following rules of thumb. Let's say I am having an adequate amount of knowledgeable people and I have no problem with budget. Under these circumstances, basic technical security overhaul, such as network redesign, server hardening or introduction of an antivirus solution for an department-size organisation with neglected security may take a year. Server side of legacy systems will take 5-10 years to replace. Windows 9x at user PCs can be replaced in some 3-5 years.

On top of that they will need to adjust business processes, set up new functions, create security standards for new system development and educate users and developers. Changing the way people behave and changing the organisation culture is harder than putting technology in place. My guess for a organisation with 10k+ security-neglected users would be somewhere around 2-3 years and the results will not be guaranteed.

So if we add up soft side and hard site of security to cover most critical issues, we will indeed hit 3-5 years timeframe. There are, however, two reservations. This sum was made up under an assumptions of sufficient human and financial resources. That will not be true in reality. Govt departments will be spending some 8% of their IT budget on security. Is this enough?

I remember reading an analyst's survey saying that organisations are spending 3-30% of IT budget on security and my experience says that 3 is a minimum necessary to maintain security given the design and deployment has been done properly. 8% is better than that, but if the departments are really neglected :-) the number will more likely be over 10%. So no, they won't have sufficient budget.

As far as people go, security is a hard discipline and requires commiment, knowledge about technical and business side of IT and willingness to make themselves unpopular for the sake of the good thing. There are certainly people like that. But on top of that, government must convince them to be satisfied with salary that is perhaps 10-20% lower than in private sector.

Which leads me to conclusion that due to limited budget and human resources, it will be more likely 5+ years for the governments to get into security "comfort zone".

  8:58:58 PM  permalink  

  
April 2002
Sun Mon Tue Wed Thu Fri Sat
  1 2 3 4 5 6
7 8 9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28 29 30        
Mar   May
Misc

About
Reading list
Resources
Contact me

News

SANS NewsBites
Crypto-gram
UKCrypto
Information Security
Objectwatch
CBDi Forum

Channels

Radio UserLand users: click to subscribe. Other folks: use the RSS link to acquire this channel. Better Living Through Software (rss)
Radio UserLand users: click to subscribe. Other folks: use the RSS link to acquire this channel. Content Wire - Digital Copyright (rss)
Radio UserLand users: click to subscribe. Other folks: use the RSS link to acquire this channel. Dictionary.com Word of the Day (rss)
Radio UserLand users: click to subscribe. Other folks: use the RSS link to acquire this channel. Digital Identity (rss)
Radio UserLand users: click to subscribe. Other folks: use the RSS link to acquire this channel. Digital Identity World (rss)
Radio UserLand users: click to subscribe. Other folks: use the RSS link to acquire this channel. Financial Applications Security Weblog (rss)
Radio UserLand users: click to subscribe. Other folks: use the RSS link to acquire this channel. Joel on Software (rss)
Radio UserLand users: click to subscribe. Other folks: use the RSS link to acquire this channel. Jon's Radio (rss)
Radio UserLand users: click to subscribe. Other folks: use the RSS link to acquire this channel. Line56: B2B News (rss)
Radio UserLand users: click to subscribe. Other folks: use the RSS link to acquire this channel. O'Reilly Network Articles (rss)
Radio UserLand users: click to subscribe. Other folks: use the RSS link to acquire this channel. onlineblog.com (rss)
Radio UserLand users: click to subscribe. Other folks: use the RSS link to acquire this channel. RISKS Digest (rss)
Radio UserLand users: click to subscribe. Other folks: use the RSS link to acquire this channel. Scripting News (rss)
Radio UserLand users: click to subscribe. Other folks: use the RSS link to acquire this channel. SecurityFocus (rss)
Radio UserLand users: click to subscribe. Other folks: use the RSS link to acquire this channel. Web Services Architect (rss)
Radio UserLand users: click to subscribe. Other folks: use the RSS link to acquire this channel. WebServices.Org (rss)
Radio UserLand users: click to subscribe. Other folks: use the RSS link to acquire this channel. Wired News (rss)



jenett.radio.simplicity.1.3R
Radio Userland


Copyright 2002 © Jiri Ludvik.
Last update: 8.5.2002; 0:56:36.