The solution to federal IT security breaches looks to not be more money, but rather IT asset management, a recently released study says.
The federal government has famously struggled with large federal IT projects, but it's not because agencies are skimping on them.
In fact, throwing billions of dollars into fixing wayward IT initiatives isn't necessarily helping, according to a recently released study by the International Association of Information Technology Asset Managers.
Why doesn't an influx of cash help federal IT? Because the money isn't being used in an effective manner, according to the report, “Understanding the Federal Government’s ‘IT Insecurity’ Crisis." In fact, some $40 billion spent on federal IT and IT security is being squandered, the study argues.
“Right now, we have the high-tech equivalent of the $436 Pentagon hammer and it’s just getting worse,” the group's CEO, Barbara Rembiesa, said in the report.
Federal IT officials tend to falsely blame insufficient funding for their departments’ problems, Rembiesa said. But the more likely culprit is the lack of strong IT asset management. Beefed-up IT management could help stop security breaches and other IT problems and would likely require less funding in the longterm.
Currently, the federal government's IT budget hovers around $80 billion a year. That averages out to about $36,000 per employee. The Education Department is one of the big spenders, averaging more than $150,000 in per-employee IT spending.
In contrast, the private sector on average spends less than $5,000 on each of its employees for IT. Per-employee spending is a measure of the efficiency of IT spending.
Spending on federal cybersecurity measures also continues to rise -- even as data breaches and hacks continue unabated. In fiscal year 2013, the number of these incidents hit 60,000, according to the report.
A bottom-up approach to IT asset management is needed, the study argues.
That would involve a centralized federal entity responsible for the creation of all policies, procedures, processes and metrics. In addition, there would also be more local IT asset management specifically responsible for each agency.
“Spending greater and greater sums without proper [IT asset management] controls in place is a prescription for more breaches, risks posed by unauthorized devices, increases in lost and stolen hard drives, and major vulnerabilities created by outdated and/or ‘unpatched’ software,” the study stated.