How do you put a value on security?

The government is looking for some good metrics.

Arthur W. Coviello, president of RSA (now the security division of EMC Corp.), on Thursday called for government to become more proactive in its IT security.

"For too long, security has been defensive rather than offensive," said Coviello, speaking at the IT Security Training Conference in Washington, D.C. He said security should be seen as an enabler for government business.

But an audience member with 30 years experience in government service said federal IT departments are forced to take the defensive because funding often is available only to address a problem that already has happened.

"You take the reactive mode because you're proving something is wrong," he said. "It's very difficult to convince management to spend money on something that is theoretical. That's a cultural problem we face continually."

There is a lack of metrics for determining the value of a security investment in government. The process is straightforward in the business world, where profit and loss is measured in dollars and cents. This lets companies quantify risks and costs and determine a return on investment. But government does not deal in profit and loss.

"It's really hard to do an ROI for security in that context," Coviello said.

The result has been a reactionary approach to IT security.

"The day before a breach, the ROI is zero," said Dennis Hoffman, RSA vice president of enterprise solutions. "The day after, it is infinite."

An example is the series of memos issued by the Office of Management and Budget this summer in the wake of the theft of a laptop computer from the Veterans Affairs Department, defining how agencies are to secure mobile and remotely accessed data. Edward Roback, associate CIO for Cyber Security at the Treasury Department, described the challenges of meeting the deadline set by OMB.

The first challenge was identifying sensitive, personally identifiable information covered under the mandate. It then had to be secured, all access to it tracked, and remote copies were to be erased within 90 days when no longer needed. "How do you do that?" Roback asked.

"The timeframe was ambitious," he said. Treasury sent out its compliance checklists to bureaus in August. "Like a lot of agencies, probably, we got a lot of partials back."

Other departments, such as Interior, which is in a long-running lawsuit with Native American tribes, have security thrust upon them even more dramatically. The court ordered the department to take its entire system offline in December 2001.

"We had to bring each bureau back online one at a time only after we could demonstrate that we could do it with adequate security," said CIO W. Hord Tipton.

Ten percent of the department, including all of Interior's attorneys, is offline. In some cases there was overreaction, with unnecessary barriers and layers of firewalls blocking traffic.

"All of a sudden, I've got lawyers designing my security," Tipton said. "Communications between our bureaus today still is a very difficult thing."

Strides have been made in improving Interior's IT architecture and security posture. Thirteen networks have been consolidated into a single network with five Internet gateways. But problems remain. There are good policies and designs in place, "but I don't have good compliance yet," he said.

And despite the public scolding the department has received from the courts, money often is not available for the needed work.

"Competing demands for money sometimes push security off the table" no matter how high the level of support, Tipton said.

Coviello said determining an ROI and making a business case for security is possible if it is addressed from a risk management perspective.

"Just because you don't have the dollar returns you have in business doesn't mean you can't put a value on it," he said. "I think it's a question of leadership."

There has not been strong leadership for IT security. It was three years from the publication of National Strategy for Defending Cyber Space until an assistant secretary for cybersecurity was named at the Homeland Security Department.

Coviello said security leadership does not necessarily have to come from the top.

"It can start at the secretary level; it can come from CIOs," he said. "But it also can come from the rank and file."

He said that security professionals within the agencies often have not done an adequate job of quantifying risk and making the business case to higher levels of management. Minds need to be changed before money is spent on technology, he said.

"The technology exists today," he said. "It's about people and processes as much as it is about money and technology."

William Jackson is a staff writer for Washington Technology's sister publication, Government Computer News.