Communication about the perils of taking inappropriate risk – and how to accept or not accept IT risk in government – is seriously lacking these days. There is clearly a link missing in the chain that connects government business managers with matters of importance such as IT risk.

Take for instance, the Utah data breach and all of the “lessons learned” that have been discussed since following a data breach that exposed the health data of 500,000 people and social security numbers of 280,000 Utah Medicaid recipients. The incident, which took place earlier this year, led the executive director of Utah’s Department of Technology Services to resign in May.

It’s great to use this kind of incident as a platform for advocating better password protection or response plan development, but what is often overlooked is that government business managers are not sufficiently focused on risk and have a limited knowledge of how to manage it.

The problem with the Utah incident was that business managers responsible for keeping the health system running defined risk by available monies rather than the possible consequences of a breach. Without funding for database encryption, they launched a system fraught with potential risk.

Many would agree that government agencies are all susceptible to this type of breach, but if you are aware of this risk on the front end of developing a system, you have the choice of halting the project or taking the risk and launching it.

There needs to be a strict adherence to Certification and Accreditation (C&A) requirements that include the monitoring of a system throughout its lifecycle – from planning to risk analysis to making ongoing updates. In the case of state governments such as Utah, there is no strict requirement for this type of adherence.

The only chance of getting system business owners to only accept appropriate risk is to hold them accountable in the case of an incident.”

Perhaps more importantly, after an agency system completes the 36-step C&A process, someone must be responsible for making sure all the steps are adhered to from the beginning and get appropriate sign off at each stage of development before the system gets certified.

Personnel certified and responsible for shepherding the C&A process must be able to thoroughly explain: the risk of certifying a system; the potential dollars that could be lost with low/moderate/critical levels of risk; the probability of each risk; how potential budget cuts may expose the system to additional risk; and finally, qualitative risks that include public embarrassment, law suits, answering to Congress, or in the case of Utah, resignation of key personnel.

It is vital that the quality of the assessment is sound with a sound methodology. When taking this perspective, it is not difficult to identify the missing link in many of the recent breaches – skilled C&A people who can effectively communicate risk to the CIO and system business owners and business owners who listen and act accordingly.

That being said, you can explain risks until you are “blue in the face”, but the only chance of getting system business owners to only accept appropriate risk is to hold them accountable in the case of an incident. If successful, we may just start to see a decrease in incidents.

Technology dependence increases every day, with data being generated at 8 trillion bits/second. The business owner must know what it takes to securely implement and maintain his/her system and all of the important data.

Let’s face it, every segment of business over the past 10 years has been driven by an information system. Only in rare cases does the CIO stick his/her neck out and accredit systems for business owners without following a strict C&A process.

In government, however, personnel don’t always have the luxury of adhering to a strict process because of the lack of funds available to address every system. Ensuring stable funding throughout the lifecycle of the project – before throwing the switch on a certified system – is critical.

In the meantime, the government needs to continue investing in more people who will skillfully shepherd the C&A process for agencies and who will maintain a process that is founded on good human judgment and communication in analyzing risk – rather than merely checking boxes to comply with C&A requirements.

W. Hord Tipton is executive director of (ISC)2 , the world’s largest non-profit body for certifying information security professionals; he is also the former CIO of the Department of Interior and recipient of the President’s Distinguished Rank Award. He writes regularly for Breaking Gov and serves on its board of editorial advisors.