Funding Secrets for the ISOs from the Expert

Making Security Matter

To Executive Leadership To the People that Own the Purse To the People that Make the Rules

Introductions

Anthony Souza

Joseph Munso

Jamie Mangrum

Why does Security Matter?

Confidentiality Matters

Accuracy Matters

Moral Obligation – Do No Harm

It is Expensive to be breached

The Target Breach – 70 million records with a net cost

impact of $252 million

The Home Depot Breach – 56 million records with a net cost impact of $62 million

The Ponemon Institute did a study that shows that the net cost impact of a public sector breach is $172 per

record impacted

It is Expensive to be breached

California Population = ~ 39 million

California licensed drivers = ~ 24 m

CA total number employed = ~ 13m

CA total number on Medi-Cal = ~12m

It is Expensive to be breached

California licensed drivers = ~ 24 m

$86 m

CA total number employed = ~ 13m

$46 m

CA total number on Medi-Cal = ~12m

$43 m

Report 2015-611

High Risk Update—

Information Security

Many State Entities’ Information Assets Are Potentially

Vulnerable to Attack or Disruption

Common Theme

“The reporting entities that responded to our survey identified a

number of challenges that ……were currently preventing them from achieving full compliance with the security standards. They most commonly cited inadequate budgets, staff shortages ……”

“In analyzing the types of challenges reporting entities face, we identified two primary areas of concern—insufficient resources

and competing priorities.”

Guess that Budget Amount

Funding Strategies

Traditional

Submit a BCP for Additional Funds and Resources

Identify Fund Sources – Fees, Special Funds

Larger Effort – HIPAA

Programmatic Change

Incorporate into a New Technology Project

Sponsor a Legislative Package that includes funding

Traditional Redirection

Funding Strategies

Not So- Traditional

Convince the Department of Technology to submit a BCP for one-

time true up of Security funding resources and convince DOF to approve it

Convince the Department of Technology to approve a security element within each Project Approval

Convince the Department of Finance to amend the standard budget

allocation for each new position to include standard allocation for Security

Enhanced Redirection (overhead) within your own entity

Keys

Raise the Status of the issue of Security. Be Bold and Educate your

Executive Leadership

Document the time/funds that you are spending currently and document what you cannot do, due to funding/resource constraints

Get Friendly with your Administrative Leadership and Staff. Ask them

how you can creatively access funding. Have them be an advocate for including funding for security in every entity cost of policy change or

program expansion analysis that is developed

Understand and Leverage new Budget Control Language

Taking advantage of new Budget Control Language

Budget Letter 15-22 (Budget Position Transparency – Control Section 4.11) provides direction for departments to calculate historically filled positions and adjust expenditures by category. In an effort to increase overall budget accuracy, transparency, and accountability, salaries and

wages dollars associated with historically vacant positions will be reallocated to expenditure categories where resources are actually

expended. This adjustment will be used to reconcile historically vacant positions and accurately display how salaries and wages, staff benefits,

and OE&E resources are expended.

Taking advantage of new Budget Control Language

Section 26.00 authorizes the transfer of funds within an item of

appropriation. Augmentations of any line of any schedule are limited by amount or percentage, as specified. In addition, transfers may not

establish a new program, project, or function. Any transfer in excess of $200,000 requires a 30-day advance notification letter to the Legislature.

A waiver of the 30 days may be requested.