Risky Business

We've all heard about the analyst at the U.S. Department of Veterans Affairs who, in May 2006, took home a laptop that held personal information on millions of military veterans. When a burglar broke into his home then stole the laptop, the incident raised fears of identity theft on a catastrophic scale.

Luckily the laptop was recovered, and the FBI determined that the data had not been compromised. But the close call points out an undeniable fact: When something goes wrong with a government information system, the consequences can ripple far beyond the IT department.

Today, just about every aspect of government relies on IT. So when a hurricane destroys a data center, a hacker launches a denial-of-service attack, or the vendor of a key software application goes out of business, that doesn't just mean headaches for the CIO. It could also mean public-health professionals can't access patient records. Or teachers can't get their paychecks. Or police officers can't fight crime.

In other words, IT risk means risk to the entire government.

"People have to stop thinking of IT risks as independent," said Cal Braunstein, chairman, CEO and executive director of research at the Robert Frances Group, an IT consulting firm in Westport, Conn. "IT risks are a component of business and operational risk." IT risks comprise a growing range of concerns. Especially when it comes to data security, risk management has become a huge role. "Much more than we thought about four or five years ago," said Thomas Jarrett, CIO and secretary of Delaware's Department of Technology and Information. "And it's become a major focal point for the work we do."


Types of Risk
"In this day and age, privacy and security risks would be at the top of the food chain," said Patrick Pizzella, CIO and assistant secretary for administration and management at the U.S. Department of Labor. Thieves, hackers, spammers, virus launchers and others who try to steal data or sabotage systems constitute one of the major categories of IT risk. As government agencies open their systems to one another and to private-sector partners in the name of collaboration, and as they offer e-government services to the public, it becomes increasingly important to guard every door and window into the IT infrastructure.

IT plays a role in managing risk when it comes to physical doors and windows, as well as logical ones. In this post-9/11 world, concerns about physical security and information security meld, said Bradford Brown, managing director of the technology risk consulting practice, public services, at Protiviti Inc. in Vienna, Va. For one thing, that means CIOs must think especially hard about managing identity risk. "It's not so much even the physical protection of the building," Brown said, "but who's going to have access, how you're going to gain access not only to the building but to your network, what that access is going to look like, and how you are going to compartmentalize that."

CIOs must also be aware of risks outside of their managing sphere, such as the public telephone network and the power grid. "If you are an IT organization and are providing support for a 911 system, and power goes down and you have no way to get that system back up, it's not a reasonable thing to say, 'Out of my control,'" Braunstein said. "When the power does go out or other failures occur, you have to be able to address the problem, whether it is internal or external, and keep the mission-critical systems running."