Making Security Matter
To Executive Leadership To the People that Own the Purse To the People that Make the Rules
It is Expensive to be breached
The Target Breach – 70 million records with a net cost
impact of $252 million
The Home Depot Breach – 56 million records with a net cost impact of $62 million
The Ponemon Institute did a study that shows that the net cost impact of a public sector breach is $172 per
record impacted
It is Expensive to be breached
California Population = ~ 39 million
California licensed drivers = ~ 24 m
CA total number employed = ~ 13m
CA total number on Medi-Cal = ~12m
It is Expensive to be breached
California licensed drivers = ~ 24 m
$86 m
CA total number employed = ~ 13m
$46 m
CA total number on Medi-Cal = ~12m
$43 m
Report 2015-611
High Risk Update—
Information Security
Many State Entities’ Information Assets Are Potentially
Vulnerable to Attack or Disruption
Common Theme
“The reporting entities that responded to our survey identified a
number of challenges that ……were currently preventing them from achieving full compliance with the security standards. They most commonly cited inadequate budgets, staff shortages ……”
“In analyzing the types of challenges reporting entities face, we identified two primary areas of concern—insufficient resources
and competing priorities.”
Funding Strategies
Traditional
Submit a BCP for Additional Funds and Resources
Identify Fund Sources – Fees, Special Funds
Larger Effort – HIPAA
Programmatic Change
Incorporate into a New Technology Project
Sponsor a Legislative Package that includes funding
Traditional Redirection
Funding Strategies
Not So- Traditional
Convince the Department of Technology to submit a BCP for one-
time true up of Security funding resources and convince DOF to approve it
Convince the Department of Technology to approve a security element within each Project Approval
Convince the Department of Finance to amend the standard budget
allocation for each new position to include standard allocation for Security
Enhanced Redirection (overhead) within your own entity
Keys
Raise the Status of the issue of Security. Be Bold and Educate your
Executive Leadership
Document the time/funds that you are spending currently and document what you cannot do, due to funding/resource constraints
Get Friendly with your Administrative Leadership and Staff. Ask them
how you can creatively access funding. Have them be an advocate for including funding for security in every entity cost of policy change or
program expansion analysis that is developed
Understand and Leverage new Budget Control Language
Taking advantage of new Budget Control Language
Budget Letter 15-22 (Budget Position Transparency – Control Section 4.11) provides direction for departments to calculate historically filled positions and adjust expenditures by category. In an effort to increase overall budget accuracy, transparency, and accountability, salaries and
wages dollars associated with historically vacant positions will be reallocated to expenditure categories where resources are actually
expended. This adjustment will be used to reconcile historically vacant positions and accurately display how salaries and wages, staff benefits,
and OE&E resources are expended.
Taking advantage of new Budget Control Language
Section 26.00 authorizes the transfer of funds within an item of
appropriation. Augmentations of any line of any schedule are limited by amount or percentage, as specified. In addition, transfers may not
establish a new program, project, or function. Any transfer in excess of $200,000 requires a 30-day advance notification letter to the Legislature.
A waiver of the 30 days may be requested.