Tuesday, August 28, 2007
DoD Digital Security Spending
I found the article Is IT security getting short shrift? to be a good reference for other large organizations contemplating digital security spending. In addition to the chart above, this text is illuminating:
Despite the growing number of attacks on military networks, securing enough money for information assurance programs is still a hard sell at the Defense Department, former Pentagon officials say.
“It’s been the source of enormous frustration,” Linton Wells said in a recent interview in which he recounted some of the difficulties he faced during his four-year tenure as principal deputy assistant secretary of Defense for networks and information integration...
[C]onvincing senior budget officials from the military services to spend money in that area is a continuing challenge, Wells said.
“What they say is, ‘Look, we’re all short on money for things we want to buy — ships, planes, tanks, whatever. Show me how this $2 million you want to put on this today is going to turn cell C17 from red to yellow to green in 2011,’” Wells said. “And that’s often a hard thing to do in information assurance.”
Wells said officials in charge of putting together the information technology security budget for DOD’s networks need better metrics for measuring return on investment for information assurance programs.
“We have not done a good job of making the case that a dollar spent here is going to lead to a quantifiable increase there,” he said. (emphasis added)
I saw Dr. Wells speak at Black Hat Federal 2006.
I have three brief points.
First, I think the bold text is the problem. If I'm being asked to spend money to turn a spreadsheet cell different colors, of course I'm going to debate the value of that spending. The problem is that the metrics used in these situations largely don't matter.
Second, I would be interested in knowing how much of the DoD budget funds counter-intelligence activities. The majority of the serious problems DoD faces have a counter-intelligence function. The intent of the adversary's activities are no different now than they were in pre-Internet days. How much has historically been spent on stopping spies?
Third, it is sad to continue to see security treated as a separate function that has to justify its own existence in financial terms. Security does not make any money so it cannot possibly compete against business projects which do. This is not strictly the case in DoD because none of the military makes money, but it is certainly true of civilian industries.