Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
10/5/2016
11:13 AM
Ned Miller
Ned Miller
Partner Perspectives
50%
50%

Cybersecurity Economics In Government -- Is Funding The Real Problem?

Government leadership and those chartered with creating budgets could benefit from applying sound value-management practices when considering the cybersecurity budget process.

Tom Quillin, Intel Security's CTO for security economics, contributed to this story. 

Tony Scott, CIO for the federal government, recently commented that the federal funding process played a part in the Office of Personnel Management breach that exposed 21.5 million records. Many of these records included personally identifiable information of employees and contractors with security clearances.

A GovWin IQ report, Federal Information Security Market, 2015-2020, forecasts the federal demand for vendor-furnished information security products and services will increase from $8.6 billion in FY 2015 to $11 billion in 2020. As agencies struggle to stay ahead of cybersecurity threats, more and more of their IT spending is being devoted to cybersecurity, reaching over 10% by 2020.

With the government investing billions of dollars a year in IT security, how could the funding process be so broken and be a significant contributor to a compromise like what occurred at OPM? I asked Tom Quillin, a colleague who specializes in cybersecurity economics for Intel Security’s CTO, to help me better understand the issue.

How and why are organizations continuing to struggle with justifying cybersecurity budgets and funding in an environment where we read about sophisticated hacks and attacks every day?

“Think of the Tower of Babel, where a large group of people, nominally focused on the same goal, loses their ability to understand each other. Too often security teams and budget owners end up speaking completely different languages, slowing down decision-making and creating huge barriers in strategy and execution,” Quillin says.  “The security team often knows exactly what needs to get done, but it doesn’t know how to translate those priorities into terms that align with the organization’s mission. Administration and leadership know they must act, but they lack the expertise to evaluate conflicting advice from different security experts. The paralysis continues until disaster strikes, at which point the floodgates open,” he says.

So how can organizations break through the language barriers?

“They need to start with the basics: making sure all are aligned on an organization’s mission and goals. Then identify what data and information is mission-critical data. With that basic level of alignment, we work with organizations to communicate how specific measures can help them make progress toward those goals. We describe this as focus on value management,” says Quillin.

What role does the security team play in this effort?

“The security team has to take responsibility for communicating with leadership how investments in security support the organization’s mission today and in the future. We work with security teams on how to describe the cost of doing nothing. The ability to communicate in terms of an organization’s mission is key to a successful cybersecurity strategy,” says Quillin.

Lessons Learned

In the case of OPM, federal government CIO Scott went on to further describe that “Congress, for the most part, funds federal civilian agencies to maintain their information systems, not to modernize them. It's a culture of what I call ‘set it and forget it,’” Scott said at an Aug. 31 symposium on trustworthiness held at the National Institute of Standards and Technology in Gaithersburg, Md. “Go put something in, and then assume your work is done.”

Scott says that approach was in play at OPM. “What you have is a recipe for high costs, cost overruns, projects that can’t be completed, and the whole litany of things that we all know historically have been true,” the CIO says. “And, indeed, in OPM we found exactly that. We found there, and across the federal government, projects that could have been done in one or two years were taking 10 years to do because they couldn’t put together enough funding in one budget cycle or two budget cycles to do the needed work.”

“And you know what happens in 10 years? Management changes, priorities change, talent changes, all kinds of things change. So any project that will take 10 years to do is probably destined for failure.”

In summary, the cybersecurity landscape can change as fast as the weather. Government leadership and those chartered with creating budgets could benefit from applying sound value-management practices when considering the cybersecurity budget process. Maybe they should start with defining more accurate ways to measure security efficacy and efficiency.

Ned Miller, a 30+ year technology industry veteran, is the Chief Technology Strategist for the Intel Security Public Sector division. Mr. Miller is responsible for working with industry and government thought leaders and worldwide public sector customers to ensure that ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19642
PUBLISHED: 2019-12-08
On SuperMicro X8STi-F motherboards with IPMI firmware 2.06 and BIOS 02.68, the Virtual Media feature allows OS Command Injection by authenticated attackers who can send HTTP requests to the IPMI IP address. This requires a POST to /rpc/setvmdrive.asp with shell metacharacters in ShareHost or ShareNa...
CVE-2019-19637
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is an integer overflow in the function sixel_decode_raw_impl at fromsixel.c.
CVE-2019-19638
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is a heap-based buffer overflow in the function load_pnm at frompnm.c, due to an integer overflow.
CVE-2019-19635
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is a heap-based buffer overflow in the function sixel_decode_raw_impl at fromsixel.c.
CVE-2019-19636
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is an integer overflow in the function sixel_encode_body at tosixel.c.