Keeping IT Secure During a Budget Crisis

California is ailing financially, and state government this year has slashed some $15 billion in funding for services, including $8 billion for education. But, the state continues to provide the money to safeguard state IT assets, says Mark Weatherford, California chief information security officer.

"The spend is not going down" on IT security, Weatherford said in an interview with GovInfoSecurity.com (transcript below). "We are actually just looking at ways that we can spend a little bit more efficiently and get a little bit smarter about how we do spend money."

Among the efficiencies California is implementing is a trusted-Internet-connection model, in which Internet access to and from state systems is limited, requiring fewer assets to monitor fewer connections.

In the interview, Weatherford also discussed the challenge he and other government CISOs face when trying to recruit IT security professionals: lack of governmental occupation classifications for infosec specialists. He also discussed his role as head of an office that like the federal Office of Management and Budget doesn't have direct control but holds much influence over 152 state agencies.

Eric Chabrow, GovInfoSecurity.com managing editor, interviewed Weatherford.

ERIC CHABROW: California has made headlines around the country with Gov. Arnold Schwarzenegger and the legislature making massive spending cuts in government services. How has California's budgetary woes affected spending on state IT security?

Click to Get Updates on the Latest Information Security News

Company* Title* Email* Subscription Type: HTML Text Government Enews General Government Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Banking Enews General Banking Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Credit Union Enews General Credit Union Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Need Help?

MARK WEATHERFORD: I wouldn't say that we have actually seen any cuts in security. That is one of the challenges that we are working on right now with a fairly large enterprise effort to begin consolidating some of our infrastructure and some of our IT resources around the state. We are very, very decentralized and up until recently we haven't had a good opportunity to kind of aggregate what the total spend really was, the total spend on IT, so subsequently it is pretty hard to determine what the total spend on IT security is. But from what I can see, again, from my perch, I don't have a lot of specific control over IT budgets and security budgets at the state agency level. The spend is not going down, we are actually just looking at ways that we can spend a little bit more efficiently and get a little bit smarter about how we do spend money.

CHABROW: Can you give me an example or two of how to be more efficient, how to get smarter?

WEATHERFORD: Sure. Let me back up and give a little background first. We have 152 state agencies, not only is the business different but the mission and the security requirements of each of those organizations is considerably different. Across those 152 agencies we have about 10,000 IT employees across the state, we have about 130 information security officers scattered throughout those 152 or so agencies. The aggregate IT spend is around $3 billion dollars a year and that does not include some of the major projects that are ongoing, which that is probably another $6 billion dollars or so. We have fairly large organizations, very distributed; most of the agencies are fairly autonomous in how they run their IT infrastructures.

Back to you question now, how are we seeing some efficiencies? We don't have a common backbone, common wide-area network for the state, but we do have a common data center where all of our mainframe operations are run out of and they provide WAN services so we are trying to increase the adoption of some of those WAN services by other state agencies. Obviously, the more customers you have using the same services the costs go down there.

From my perspective, it's important from the being able to be able to centralize a little bit more some of our perimeter security. Right now, where we have quite a few different points of presence for the Internet across the state government, the fewer we can have, the better I can consolidate the perimeter security posture of the state. So we do have a project working on to start necking those down. It is very similar to what the federal government started with (former federal CIO) Karen Evans a couple of years ago, the trusted internet connections, similar in philosophy.