Insiders remain the top network security threat for IT leaders, but malicious attacks and end user downloads of non-approved applications come in a close second, according to an informal poll conducted this week at the National Association of State CIOs' mid-year conference. Convincing those who hold the purse strings to invest in adequate security remains a major challenge, but it can be eased by implementing a risk management program that measures real risk, said Christopher Buse, chief information security officer for the state of Minnesota.

"Security is viewed as a black hole," Buse told his colleagues at NASCIO's mid-year conference in Washington, D.C., May 5. "You make a lot of expenditure decisions on fear, uncertainty and doubt."

Rather than basing security investments on uncertain variables, IT leaders need to figure out how to make decisions based on real risks, Buse said. In Minnesota, the risk management program in place for IT involves a continuous assessment of all IT assets so problems can be identified and fixed before they can be exploited.

Minnesota established a Central Technology Agency, which oversees the risk management program and tools. The agency provides training, analyzes the data and sends out security advisories. Buse said that his group develops single tools that everyone throughout the state government can use. "The beauty of having one tool is that we normalize the results," he said. "We have comparative results for all organizations."

More important than the risk management tools are the processes that are put in place, Buse warned. Standards and policies, as well as a means of measuring results, are vital to determining real risk.Before you provide effective measurements, you need to know what your baseline is, he said.

"We have to go beyond just producing facts and figures," he said. "What you need as a CIO is the ability to make a proactive decision. If we can collectively start brining that information together in a format that is more meaningful to CIOs...we can start driving toward making investment justifications."

Related Articles:
Five tips to determine true cost of IT
The real return on investments in people 
How to get back some of your IT spending  
Analysts forecast IT spending growth