Partner Perspectives  Connecting marketers to our tech communities.
10/5/2016
11:13 AM
Ned Miller
Ned Miller
Partner Perspectives
50%
50%

Cybersecurity Economics In Government -- Is Funding The Real Problem?

Government leadership and those chartered with creating budgets could benefit from applying sound value-management practices when considering the cybersecurity budget process.

Tom Quillin, Intel Security's CTO for security economics, contributed to this story. 

Tony Scott, CIO for the federal government, recently commented that the federal funding process played a part in the Office of Personnel Management breach that exposed 21.5 million records. Many of these records included personally identifiable information of employees and contractors with security clearances.

A GovWin IQ report, Federal Information Security Market, 2015-2020, forecasts the federal demand for vendor-furnished information security products and services will increase from $8.6 billion in FY 2015 to $11 billion in 2020. As agencies struggle to stay ahead of cybersecurity threats, more and more of their IT spending is being devoted to cybersecurity, reaching over 10% by 2020.

With the government investing billions of dollars a year in IT security, how could the funding process be so broken and be a significant contributor to a compromise like what occurred at OPM? I asked Tom Quillin, a colleague who specializes in cybersecurity economics for Intel Security’s CTO, to help me better understand the issue.

How and why are organizations continuing to struggle with justifying cybersecurity budgets and funding in an environment where we read about sophisticated hacks and attacks every day?

“Think of the Tower of Babel, where a large group of people, nominally focused on the same goal, loses their ability to understand each other. Too often security teams and budget owners end up speaking completely different languages, slowing down decision-making and creating huge barriers in strategy and execution,” Quillin says.  “The security team often knows exactly what needs to get done, but it doesn’t know how to translate those priorities into terms that align with the organization’s mission. Administration and leadership know they must act, but they lack the expertise to evaluate conflicting advice from different security experts. The paralysis continues until disaster strikes, at which point the floodgates open,” he says.

So how can organizations break through the language barriers?

“They need to start with the basics: making sure all are aligned on an organization’s mission and goals. Then identify what data and information is mission-critical data. With that basic level of alignment, we work with organizations to communicate how specific measures can help them make progress toward those goals. We describe this as focus on value management,” says Quillin.

What role does the security team play in this effort?

“The security team has to take responsibility for communicating with leadership how investments in security support the organization’s mission today and in the future. We work with security teams on how to describe the cost of doing nothing. The ability to communicate in terms of an organization’s mission is key to a successful cybersecurity strategy,” says Quillin.

Lessons Learned

In the case of OPM, federal government CIO Scott went on to further describe that “Congress, for the most part, funds federal civilian agencies to maintain their information systems, not to modernize them. It's a culture of what I call ‘set it and forget it,’” Scott said at an Aug. 31 symposium on trustworthiness held at the National Institute of Standards and Technology in Gaithersburg, Md. “Go put something in, and then assume your work is done.”

Scott says that approach was in play at OPM. “What you have is a recipe for high costs, cost overruns, projects that can’t be completed, and the whole litany of things that we all know historically have been true,” the CIO says. “And, indeed, in OPM we found exactly that. We found there, and across the federal government, projects that could have been done in one or two years were taking 10 years to do because they couldn’t put together enough funding in one budget cycle or two budget cycles to do the needed work.”

“And you know what happens in 10 years? Management changes, priorities change, talent changes, all kinds of things change. So any project that will take 10 years to do is probably destined for failure.”

In summary, the cybersecurity landscape can change as fast as the weather. Government leadership and those chartered with creating budgets could benefit from applying sound value-management practices when considering the cybersecurity budget process. Maybe they should start with defining more accurate ways to measure security efficacy and efficiency.

Ned Miller, a 30+ year technology industry veteran, is the Chief Technology Strategist for the Intel Security Public Sector division. Mr. Miller is responsible for working with industry and government thought leaders and worldwide public sector customers to ensure that ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
High Stress Levels Impacting CISOs Physically, Mentally
Jai Vijayan, Freelance writer,  2/14/2019
Valentine's Emails Laced with Gandcrab Ransomware
Kelly Sheridan, Staff Editor, Dark Reading,  2/14/2019
Making the Case for a Cybersecurity Moon Shot
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  2/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-8980
PUBLISHED: 2019-02-21
A memory leak in the kernel_read_file function in fs/exec.c in the Linux kernel through 4.20.11 allows attackers to cause a denial of service (memory consumption) by triggering vfs_read failures.
CVE-2019-8979
PUBLISHED: 2019-02-21
Koseven through 3.3.9, and Kohana through 3.3.6, has SQL Injection when the order_by() parameter can be controlled.
CVE-2013-7469
PUBLISHED: 2019-02-21
Seafile through 6.2.11 always uses the same Initialization Vector (IV) with Cipher Block Chaining (CBC) Mode to encrypt private data, making it easier to conduct chosen-plaintext attacks or dictionary attacks.
CVE-2018-20146
PUBLISHED: 2019-02-21
An issue was discovered in Liquidware ProfileUnity before 6.8.0 with Liquidware FlexApp before 6.8.0. A local user could obtain administrator rights, as demonstrated by use of PowerShell.
CVE-2019-5727
PUBLISHED: 2019-02-21
Splunk Web in Splunk Enterprise 6.5.x before 6.5.5, 6.4.x before 6.4.9, 6.3.x before 6.3.12, 6.2.x before 6.2.14, 6.1.x before 6.1.14, and 6.0.x before 6.0.15 and Splunk Light before 6.6.0 has Persistent XSS, aka SPL-138827.