Security Spending Rises as Overall IT Budget Plunges

With the U.S. auto reeling, so is the economy of Michigan. But the state's long-time chief information security officer, promoted earlier this year to chief technology officer, points out the adverse local economy has yet to prevent Michigan from increasing spending on securing state IT systems.

Michigan is sending significantly less on IT, spending about $400 million; that's 20 percent less than it did a few years back, CTO Dan Lohrmann says in an interview with the Information Security Media Group (transcript of interview below). But that's mostly due to the centralization of IT operations, he says; for instance, the state reduced the number of data centers to three from 38. And, spending on IT security has risen; cybersecurity represents 2 percent of overall IT spending vs. 1 percent five years ago, he says.

Lohrmann says Michigan IT leaders have made a strong business case to state appropriators for the need for increased IT security spending. "The threat environment has changed so dramatically," say Lohrmann, who served seven years as state CISO. "We are seeing more malware than ever before, more attacks than ever before, a greater need to protect information, more compliance regulation than we've had. We've had more laws around data, more requirements and there are more expectations. People have more and more mobile devices.

"We have been able to make a good strong case for security in Michigan and build a good, strong team. I certainly would love to have more money than what we have right now, but I think we have done fairly well in a very, very difficult budget environment. "

Click to Get Updates on the Latest Information Security News

Company* Title* Email* Subscription Type: HTML Text Government Enews General Government Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Banking Enews General Banking Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Credit Union Enews General Credit Union Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Need Help?

Also in the interview with GovInfoSecurity.com Managing Editor Eric Chabrow, Lohrmann discusses that preventing data loss is among the biggest IT security challenges Michigan faces and that like its federal counterparts, the state relies on the Federal Information Security Management Act and guidance from the National Institute of Standards and Technology to keep IT safe. One advantage, Lohrmann concedes. the state has over its federal counterparts: Michigan isn't graded on compliance by the Office of Management and Budget.

ERIC CHABROW: What is the biggest information security challenge Michigan faces?

DAN LOHRMANN: One of the top ones is the data loss prevention area. The role that individual employees play, whether it be USB drives, whether it be information in e-mails and social networking online, and we have a several-pronged approach to that.

We put some tools in place to be able to look at data loss prevention. Over the last couple of years, we've done a quite a bit with everything from encrypting laptops to making sure that we have policy enforcement at the endpoints looking at outgoing e-mail and doing pattern matching and things to look for people pointing sensitive information n documents in things.

It is a real challenge for us for a variety of reasons because we have not locked down USB drives like some people are thinking the federal government has done. In some areas we have done it with certain individual situations, the financial data in some business areas, but for the most part, there is a lot of training that we have had to do and we have gone on a massive cultural training approach on helping people understand what the impact of their actions are.

CHABROW: In regards to USB drives, are you concerned about data loss or the introduction of a virus?

LOHRMANN: All of the above. Certainly, it is data loss prevention. It doesn't necessarily mean it is intentional, but it is the insider threat. People think they are doing the right thing by bringing a Word document home with them - maybe that has some sensitive information on it - and use a home PC; they can certainly bring a virus back into the enterprise. We do have some protection mechanisms in place on devices to look for endpoint viruses and things.

Once you have brought sensitive information outside of the enterprise in Michigan that is the definition of a data breach - as defined by the Michigan Identity Theft Protection Act - because we no longer control those home PCs, so we don't allow any sensitive information to leave the enterprise. We have requirements around reporting loss of data and things like that. It is really a lot around training, and imputing protections around endpoints and systems to help people be aware of what they are doing and what the impact is.

We can encrypt laptops and they can use those at home for sure. I think the challenge is how to protect the mobile data.

CHABROW: The nation's economic problems have severely hit Michigan. What is the impact of the economy on getting the funding to properly secure IT in Michigan?