Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
10/5/2016
11:13 AM
Ned Miller
Ned Miller
Partner Perspectives
50%
50%

Cybersecurity Economics In Government -- Is Funding The Real Problem?

Government leadership and those chartered with creating budgets could benefit from applying sound value-management practices when considering the cybersecurity budget process.

Tom Quillin, Intel Security's CTO for security economics, contributed to this story. 

Tony Scott, CIO for the federal government, recently commented that the federal funding process played a part in the Office of Personnel Management breach that exposed 21.5 million records. Many of these records included personally identifiable information of employees and contractors with security clearances.

A GovWin IQ report, Federal Information Security Market, 2015-2020, forecasts the federal demand for vendor-furnished information security products and services will increase from $8.6 billion in FY 2015 to $11 billion in 2020. As agencies struggle to stay ahead of cybersecurity threats, more and more of their IT spending is being devoted to cybersecurity, reaching over 10% by 2020.

With the government investing billions of dollars a year in IT security, how could the funding process be so broken and be a significant contributor to a compromise like what occurred at OPM? I asked Tom Quillin, a colleague who specializes in cybersecurity economics for Intel Security’s CTO, to help me better understand the issue.

How and why are organizations continuing to struggle with justifying cybersecurity budgets and funding in an environment where we read about sophisticated hacks and attacks every day?

“Think of the Tower of Babel, where a large group of people, nominally focused on the same goal, loses their ability to understand each other. Too often security teams and budget owners end up speaking completely different languages, slowing down decision-making and creating huge barriers in strategy and execution,” Quillin says.  “The security team often knows exactly what needs to get done, but it doesn’t know how to translate those priorities into terms that align with the organization’s mission. Administration and leadership know they must act, but they lack the expertise to evaluate conflicting advice from different security experts. The paralysis continues until disaster strikes, at which point the floodgates open,” he says.

So how can organizations break through the language barriers?

“They need to start with the basics: making sure all are aligned on an organization’s mission and goals. Then identify what data and information is mission-critical data. With that basic level of alignment, we work with organizations to communicate how specific measures can help them make progress toward those goals. We describe this as focus on value management,” says Quillin.

What role does the security team play in this effort?

“The security team has to take responsibility for communicating with leadership how investments in security support the organization’s mission today and in the future. We work with security teams on how to describe the cost of doing nothing. The ability to communicate in terms of an organization’s mission is key to a successful cybersecurity strategy,” says Quillin.

Lessons Learned

In the case of OPM, federal government CIO Scott went on to further describe that “Congress, for the most part, funds federal civilian agencies to maintain their information systems, not to modernize them. It's a culture of what I call ‘set it and forget it,’” Scott said at an Aug. 31 symposium on trustworthiness held at the National Institute of Standards and Technology in Gaithersburg, Md. “Go put something in, and then assume your work is done.”

Scott says that approach was in play at OPM. “What you have is a recipe for high costs, cost overruns, projects that can’t be completed, and the whole litany of things that we all know historically have been true,” the CIO says. “And, indeed, in OPM we found exactly that. We found there, and across the federal government, projects that could have been done in one or two years were taking 10 years to do because they couldn’t put together enough funding in one budget cycle or two budget cycles to do the needed work.”

“And you know what happens in 10 years? Management changes, priorities change, talent changes, all kinds of things change. So any project that will take 10 years to do is probably destined for failure.”

In summary, the cybersecurity landscape can change as fast as the weather. Government leadership and those chartered with creating budgets could benefit from applying sound value-management practices when considering the cybersecurity budget process. Maybe they should start with defining more accurate ways to measure security efficacy and efficiency.

Ned Miller, a 30+ year technology industry veteran, is the Chief Technology Strategist for the Intel Security Public Sector division. Mr. Miller is responsible for working with industry and government thought leaders and worldwide public sector customers to ensure that ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
9 Tips to Prepare for the Future of Cloud & Network Security
Kelly Sheridan, Staff Editor, Dark Reading,  9/28/2020
Vulnerability Disclosure Programs See Signups & Payouts Surge
Kelly Sheridan, Staff Editor, Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-4607
PUBLISHED: 2020-09-29
IBM Security Secret Server (IBM Security Verify Privilege Vault Remote 1.2 ) could allow a local user to bypass security restrictions due to improper input validation. IBM X-Force ID: 184884.
CVE-2020-24565
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...
CVE-2020-25770
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...
CVE-2020-25771
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...
CVE-2020-25772
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...