Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
10/5/2016
11:13 AM
Ned Miller
Ned Miller
Partner Perspectives
50%
50%

Cybersecurity Economics In Government -- Is Funding The Real Problem?

Government leadership and those chartered with creating budgets could benefit from applying sound value-management practices when considering the cybersecurity budget process.

Tom Quillin, Intel Security's CTO for security economics, contributed to this story. 

Tony Scott, CIO for the federal government, recently commented that the federal funding process played a part in the Office of Personnel Management breach that exposed 21.5 million records. Many of these records included personally identifiable information of employees and contractors with security clearances.

A GovWin IQ report, Federal Information Security Market, 2015-2020, forecasts the federal demand for vendor-furnished information security products and services will increase from $8.6 billion in FY 2015 to $11 billion in 2020. As agencies struggle to stay ahead of cybersecurity threats, more and more of their IT spending is being devoted to cybersecurity, reaching over 10% by 2020.

With the government investing billions of dollars a year in IT security, how could the funding process be so broken and be a significant contributor to a compromise like what occurred at OPM? I asked Tom Quillin, a colleague who specializes in cybersecurity economics for Intel Security’s CTO, to help me better understand the issue.

How and why are organizations continuing to struggle with justifying cybersecurity budgets and funding in an environment where we read about sophisticated hacks and attacks every day?

“Think of the Tower of Babel, where a large group of people, nominally focused on the same goal, loses their ability to understand each other. Too often security teams and budget owners end up speaking completely different languages, slowing down decision-making and creating huge barriers in strategy and execution,” Quillin says.  “The security team often knows exactly what needs to get done, but it doesn’t know how to translate those priorities into terms that align with the organization’s mission. Administration and leadership know they must act, but they lack the expertise to evaluate conflicting advice from different security experts. The paralysis continues until disaster strikes, at which point the floodgates open,” he says.

So how can organizations break through the language barriers?

“They need to start with the basics: making sure all are aligned on an organization’s mission and goals. Then identify what data and information is mission-critical data. With that basic level of alignment, we work with organizations to communicate how specific measures can help them make progress toward those goals. We describe this as focus on value management,” says Quillin.

What role does the security team play in this effort?

“The security team has to take responsibility for communicating with leadership how investments in security support the organization’s mission today and in the future. We work with security teams on how to describe the cost of doing nothing. The ability to communicate in terms of an organization’s mission is key to a successful cybersecurity strategy,” says Quillin.

Lessons Learned

In the case of OPM, federal government CIO Scott went on to further describe that “Congress, for the most part, funds federal civilian agencies to maintain their information systems, not to modernize them. It's a culture of what I call ‘set it and forget it,’” Scott said at an Aug. 31 symposium on trustworthiness held at the National Institute of Standards and Technology in Gaithersburg, Md. “Go put something in, and then assume your work is done.”

Scott says that approach was in play at OPM. “What you have is a recipe for high costs, cost overruns, projects that can’t be completed, and the whole litany of things that we all know historically have been true,” the CIO says. “And, indeed, in OPM we found exactly that. We found there, and across the federal government, projects that could have been done in one or two years were taking 10 years to do because they couldn’t put together enough funding in one budget cycle or two budget cycles to do the needed work.”

“And you know what happens in 10 years? Management changes, priorities change, talent changes, all kinds of things change. So any project that will take 10 years to do is probably destined for failure.”

In summary, the cybersecurity landscape can change as fast as the weather. Government leadership and those chartered with creating budgets could benefit from applying sound value-management practices when considering the cybersecurity budget process. Maybe they should start with defining more accurate ways to measure security efficacy and efficiency.

Ned Miller, a 30+ year technology industry veteran, is the Chief Technology Strategist for the Intel Security Public Sector division. Mr. Miller is responsible for working with industry and government thought leaders and worldwide public sector customers to ensure that ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Commentary
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
News
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
News
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: George has not accepted that the technology age has come to an end.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-26814
PUBLISHED: 2021-03-06
Wazuh API in Wazuh from 4.0.0 to 4.0.3 allows authenticated users to execute arbitrary code with administrative privileges via /manager/files URI. An authenticated user to the service may exploit incomplete input validation on the /manager/files API to inject arbitrary code within the API service sc...
CVE-2021-27581
PUBLISHED: 2021-03-05
The Blog module in Kentico CMS 5.5 R2 build 5.5.3996 allows SQL injection via the tagname parameter.
CVE-2021-28042
PUBLISHED: 2021-03-05
Deutsche Post Mailoptimizer 4.3 before 2020-11-09 allows Directory Traversal via a crafted ZIP archive to the Upload feature or the MO Connect component. This can lead to remote code execution.
CVE-2021-28041
PUBLISHED: 2021-03-05
ssh-agent in OpenSSH before 8.5 has a double free that may be relevant in a few less-common scenarios, such as unconstrained agent-socket access on a legacy operating system, or the forwarding of an agent to an attacker-controlled host.
CVE-2021-3377
PUBLISHED: 2021-03-05
The npm package ansi_up converts ANSI escape codes into HTML. In ansi_up v4, ANSI escape codes can be used to create HTML hyperlinks. Due to insufficient URL sanitization, this feature is affected by a cross-site scripting (XSS) vulnerability. This issue is fixed in v5.0.0.