Sitting here in the Washington, DC area these days gives one much reason to ponder economics. As someone who has worked with the Government for over 15 years there is always the economic factor in the back of ones mind. Most people think that the government just buys things and the process is easy and straight forward. However this is generally not the case, especially when we talk technology. Programs need to be defined, planned, and budgeted. These budgets need to get into a budgetary cycle that can last 18 months and beyond and then budgets need to be passed. Even after that it is always possible that things change and 2011 has offered lots of opportunity for change.
Now you may ask what this has to do with the economics of security. Well we have all seen the numbers - and while they do vary they are significant. Data breaches are up over the last 5 years, and up substantially. Over the last couple of years the costs of these breaches has been up as well, with average cost increases per incident up somewhere around 15%. Average individual incident costs have been stated to be anywhere from 3-7 million dollars.
With this backdrop Congress has been working on a couple of new bills covering Data Security and Breach Notification. The work done here is to be applauded as it is a step in the right direction. The question becomes what happens to these efforts and other government security efforts as Congress moves to reduce spending?
It is correct that corporations and individuals need to be aware of risks and implement proper mitigation strategies but what happens to programs like NSTIC, which is advocating increasing personal security, and to legislation that defines oversight framework? Are bills that require action by industry and government effective without oversight and enforcement? On the other front what happens to government programs within agencies that are looking to improve security with the goal to reduce costs? There are numerous technical advancements that could reduce costs while improving security, such as moving from expensive radio systems within DOD to smartphone based systems. With the ability today to enable smartphones as strong authentication systems the technology can be more broadly deployed at lower costs than existing systems. The question is how does such an idea move forward if the funding is not there for it?
The goal here is to mitigate the new risks by improving the baseline systems. Improved authentication systems based on open standards; enhanced authorization systems that leverage existing standards and are interoperable; and leveraging validated COTS products are all ways to improve security while controlling costs. Will these get lost in today's new realities? I hope not. Seeing how an NFC enabled smartphone can be used to access multiple applications using a variety of authenticators, that is easy for a person to understand and use, will only improve the overall security posture and reduce the number of these breaches. And that is good for our economy.
- Posted using BlogPress from my iPad
No comments:
Post a Comment