Security Spending Rises as Overall IT Budget Plunges

LOHRMANN: We have been very fortunate up until now. Going forward, I think it is going to be a continual challenge. We are getting some stimulus funds to help us in some special areas, like broadband and health IT, and we are optimistic. We have been able to get some federal grants. Over the last five years, we got over $6 million dollars in Homeland Security grant dollars to help us with over 30 cybersecurity projects.

Even though the economy has been very hard, our government has centralized all of IT into one department. We have taken $100 million out of our annual spend in IT. We have gone down from about $500 million to about $400 million a year. In IT spending, we have been able to be more efficient by closing data centers. We have gone from 38 data centers to three and we have done some other things that has enabled us to apply more money in security in the data centers that are left. Those three data centers all have generator backup power now, for example; they all have procedures and processes in place that are more consistent that we didn't have before. We have been fairly fortunate and we have made the business case for security to enable better processes with the reduced amount of IT spend that we do have. So overall we spend about 2 percent of our IT budget on security, which is up from about 1 percent five years ago.

CHABROW: Why has the proportion of the IT budget on security risen?

LOHRMANN: We made the business case that we need. The threat environment has changed so dramatically. We are seeing more malware than ever before, more attacks than ever before, a greater need to protect information, more compliance regulation than we've had. We've had more laws around data, more requirements and there are more expectations. People have more and more mobile devices.

We have been able to make a good strong case for security in Michigan and build a good, strong team. I certainly would love to have more money than what we have right now, but I think we have done fairly well in a very, very difficult budget environment.

CHABROW: The federal government has the Federal Information Security Management Act, National Institute of Standards and Technology and Office of Management and Budget. What is the equivalent in Michigan?

LOHRMANN: For the most part we do follow FISMA and use a lot of NIST standards. That is our framework model: 60 percent of our IT spending comes from federal dollars so we support a lot of federal programs, everything from roads, transportation to Medicare, Medicaid programs, and we implement federal programs so we have to meet federal regulations and many of them follow the FISMA standards.

We also use a lot of credit cards and online government so we follow payment card industry standards. One of the first states to be enterprise wide Payment Card Industry compliant in April 2008.

CHABROW: Many federal officials complain that FISMA requires a lot of paperwork but doesn't really secure government IT. Have you found that?

LOHRMANN: I don't think we have the same level of oversight around reporting in FISMA. Certainly it is a lot of paperwork and we have had a lot of federal auditors come through, and state auditors as well, who really want to see the paperwork backup to different aspects of security and logging and the processes and procedures and identity management just in so many different areas.

We haven't been held to the same level of grading [as have federal agencies], but I would agree that FISMA needs some modifications and I hope that the Obama administration takes that on as a task and makes it more pragmatic for a lot of agencies that think there is some lower cost ways they can secure things.

CHABROW: Do you have regular audits of your IT systems for security and if so who conducts them?

LOHRMANN: We have some federal auditors that come in and do auditing of us and we have had just about every federal program auditors come through. We have the state auditor general, which is our legislature side, that comes in; we also have internal audits. So absolutely, we get audited a lot. We get to know our auditors pretty well.

There are some audits just of the Michigan Department of Information Technology, our part of the program, and in some cases it is a joint audit where we are audited with the agency [whose program we support]. It is a fairly frequent process that we have two or three audits going on at the same time.

CHABROW: What do you think of President Obama's cybersecurity plan?