Security measures cost government £3.2bn and hamper innovation, says public sector IT chief

Over-cautious security measures on public sector ICT projects are costing the government billions of pounds and are hampering agility, a senior public sector IT head has told Computer Weekly.

Over-cautious security measures on public sector ICT projects are costing the government billions of pounds and are hampering agility, a senior public sector IT chief has told Computer Weekly.

"The basic problem is, we have a very single posture on everything," he said. "Everything must be militarily secure, so security costs huge amounts of money and time."

As much as 20% of the budget in public sector IT projects is spent on security measures, said the source. This amounts to about £3.2bn of the £16bn being spent on current IT projects, according to published data.

The IT head added, "It is necessary to weigh risks against threats, but that is not something we do. Any number of people around Whitehall will tell you the same."

Former government CIO John Suffolk told Computer Weekly he had not seen any empirical evidence to support the claimed figure of 20%.

"That does not mean it is wrong, but security is not itemised as a line item, so it can be no more than a view from vendors," he said. "Personally, I think it is over-stated, but would be happy to see the evidence.

"Given that money will be much tighter going forward, we really do need to assess every line item of spend to ensure that: a, it is needed; b, we are doing the minimum to achieve our requirements, not the maximum; and c, that risk is apportioned to the right part of the supplier/customer equation."

But Philip Virgo, secretary general for the Information Society Alliance (Eurim), agreed that the government was spending too much on security and that a figure of 20% did not seem exaggerated.

"The core of the problem is getting people who understand government security processes," he said. "Different departments don't recognise each other's processes, timescales are fragmented and duplicated advice is being given which is either totally wrong or out of date."

The cost of security can be extremely expensive if delivered as an afterthought, said Virgo. "If it is embedded in the original design, then it's much cheaper. If you retrofit it, then it's bloody expensive."

But David Wilde, CIO of Westminster City Council, said local government tended to take a more pragmatic approach to security.

"I wouldn't be surprised if costs in central government are much higher," he said. "It's about finding which levels are required in what areas, rather than opting for the highest security on everything."

Wilde suggested network security costs were the highest, with anti-virus and anti-spam costing 20-25%, whereas for applications it was closer to 10%.

He blamed the security industry for inflated costs in many cases. "It's an ongoing legacy in the security industry that they are trying to dictate to organisations what sort of hardware is required," he said. "I have little patience with security bodies telling me what system routers we should have, for example."

Wilde said central government bodies such as CESG, the information assurance arm of GCHQ, had moved towards a more risk-based security approach in recent years, whereas suppliers who set up the security to comply with standards appeared to be still stuck at the hardware level.

A CESG spokesman said the organisation has published guidance on the application of national risk management policy, which encouraged best practice, seeking to remove unnecessary work.

"This includes conducting risk assessments and producing risk management documentation that is proportionate," he said. "Additionally, CESG encourages a strategy of conducting risk management activities at an enterprise level which allows re-use for similar systems with common risk attributes."

But the senior level public sector IT head told Computer Weekly that security remained a contentious issue. "Security is an area of very significant challenge for government officials," he said. "We don't do security assurance in proportion to risk.

"There will be a rebellion soon because we can't get anything done."

Read more on IT risk management