Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
10/5/2016
11:13 AM
Ned Miller
Ned Miller
Partner Perspectives
50%
50%

Cybersecurity Economics In Government -- Is Funding The Real Problem?

Government leadership and those chartered with creating budgets could benefit from applying sound value-management practices when considering the cybersecurity budget process.

Tom Quillin, Intel Security's CTO for security economics, contributed to this story. 

Tony Scott, CIO for the federal government, recently commented that the federal funding process played a part in the Office of Personnel Management breach that exposed 21.5 million records. Many of these records included personally identifiable information of employees and contractors with security clearances.

A GovWin IQ report, Federal Information Security Market, 2015-2020, forecasts the federal demand for vendor-furnished information security products and services will increase from $8.6 billion in FY 2015 to $11 billion in 2020. As agencies struggle to stay ahead of cybersecurity threats, more and more of their IT spending is being devoted to cybersecurity, reaching over 10% by 2020.

With the government investing billions of dollars a year in IT security, how could the funding process be so broken and be a significant contributor to a compromise like what occurred at OPM? I asked Tom Quillin, a colleague who specializes in cybersecurity economics for Intel Security’s CTO, to help me better understand the issue.

How and why are organizations continuing to struggle with justifying cybersecurity budgets and funding in an environment where we read about sophisticated hacks and attacks every day?

“Think of the Tower of Babel, where a large group of people, nominally focused on the same goal, loses their ability to understand each other. Too often security teams and budget owners end up speaking completely different languages, slowing down decision-making and creating huge barriers in strategy and execution,” Quillin says.  “The security team often knows exactly what needs to get done, but it doesn’t know how to translate those priorities into terms that align with the organization’s mission. Administration and leadership know they must act, but they lack the expertise to evaluate conflicting advice from different security experts. The paralysis continues until disaster strikes, at which point the floodgates open,” he says.

So how can organizations break through the language barriers?

“They need to start with the basics: making sure all are aligned on an organization’s mission and goals. Then identify what data and information is mission-critical data. With that basic level of alignment, we work with organizations to communicate how specific measures can help them make progress toward those goals. We describe this as focus on value management,” says Quillin.

What role does the security team play in this effort?

“The security team has to take responsibility for communicating with leadership how investments in security support the organization’s mission today and in the future. We work with security teams on how to describe the cost of doing nothing. The ability to communicate in terms of an organization’s mission is key to a successful cybersecurity strategy,” says Quillin.

Lessons Learned

In the case of OPM, federal government CIO Scott went on to further describe that “Congress, for the most part, funds federal civilian agencies to maintain their information systems, not to modernize them. It's a culture of what I call ‘set it and forget it,’” Scott said at an Aug. 31 symposium on trustworthiness held at the National Institute of Standards and Technology in Gaithersburg, Md. “Go put something in, and then assume your work is done.”

Scott says that approach was in play at OPM. “What you have is a recipe for high costs, cost overruns, projects that can’t be completed, and the whole litany of things that we all know historically have been true,” the CIO says. “And, indeed, in OPM we found exactly that. We found there, and across the federal government, projects that could have been done in one or two years were taking 10 years to do because they couldn’t put together enough funding in one budget cycle or two budget cycles to do the needed work.”

“And you know what happens in 10 years? Management changes, priorities change, talent changes, all kinds of things change. So any project that will take 10 years to do is probably destined for failure.”

In summary, the cybersecurity landscape can change as fast as the weather. Government leadership and those chartered with creating budgets could benefit from applying sound value-management practices when considering the cybersecurity budget process. Maybe they should start with defining more accurate ways to measure security efficacy and efficiency.

Ned Miller, a 30+ year technology industry veteran, is the Chief Technology Strategist for the Intel Security Public Sector division. Mr. Miller is responsible for working with industry and government thought leaders and worldwide public sector customers to ensure that ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/13/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-14300
PUBLISHED: 2020-07-13
The docker packages version docker-1.13.1-108.git4ef4b30.el7 as released for Red Hat Enterprise Linux 7 Extras via RHBA-2020:0053 (https://access.redhat.com/errata/RHBA-2020:0053) included an incorrect version of runc that was missing multiple bug and security fixes. One of the fixes regressed in th...
CVE-2020-14298
PUBLISHED: 2020-07-13
The version of docker as released for Red Hat Enterprise Linux 7 Extras via RHBA-2020:0053 advisory included an incorrect version of runc missing the fix for CVE-2019-5736, which was previously fixed via RHSA-2019:0304. This issue could allow a malicious or compromised container to compromise the co...
CVE-2020-15050
PUBLISHED: 2020-07-13
An issue was discovered in the Video Extension in Suprema BioStar 2 before 2.8.2. Remote attackers can read arbitrary files from the server via Directory Traversal.
CVE-2020-10987
PUBLISHED: 2020-07-13
The goform/setUsbUnload endpoint of Tenda AC15 AC1900 version 15.03.05.19 allows remote attackers to execute arbitrary system commands via the deviceName POST parameter.
CVE-2020-10988
PUBLISHED: 2020-07-13
A hard-coded telnet credential in the tenda_login binary of Tenda AC15 AC1900 version 15.03.05.19 allows unauthenticated remote attackers to start a telnetd service on the device.