Budget pressures up ante for cybersecurity planning

What’s the business case for improving cybersecurity? Despite the heightened awareness about the real and persistent threat to government systems, federal agencies are being asked to answer that question -- and they are not always having an easy time answering it.

It’s not that agency or congressional leaders doubt the importance of cybersecurity. It’s just that they want federal IT managers to do a better job of showing that they are investing their money wisely.

Ed Ferrara, a principal analyst at Forrester Research, wrote in a recent blog post that chief information security officers have often struggled to explain cybersecurity risks and impact in business terms.

Senior leaders generally will ask three questions, he writes: “1) Are we any more secure this year as compared to last year? 2) Are we spending the right amount on information security? and 3) Do we have the right people on the security team?”

Such questions are not trivial in the current budget environment, when spending across the board is getting even more scrutiny than ever. The importance of cybersecurity does not make it immune to tough questions. A key concern is prioritization.

For example, in a November 2012 report, the Government Accountability Office criticized the Agriculture Department for spending decisions related to IT security. In previous reports during the last three years, GAO auditors had identified “material weaknesses” in security and urged the department to work with its agencies to “define and accomplish a manageable number of critical objectives before proceeding to the next set of priorities,” according to the report.

But when the department received sizable increases in IT funding in fiscal 2010 and 2011, IT leaders chose to spread the money across 16 individual programs, “some of which did not address the department’s most critical security concerns,” the auditors observed.

But the Office of Management and Budget and Congress are looking for more than a list of cybersecurity priorities to fund. They also want to see that agencies can make a good business case for their programs.

Late last year, GAO directed the State Department to improve its security-related capital planning process. The problem was something of a technical nature: When the time came to submit its recent Capital Planning and Investment Control reports on the security funding needed for its enterprise-level IT investments, the official responsible had not yet been fully trained on the submission process and so the department’s Exhibit 300 documents were incomplete.

Although the problem was understandable, it was not trivial. “These project charters and risk management plans are critical not only to investments’ success but also to securing the funding necessary to acquire and operate IT investments,” the report states.

But these departments are hardly alone in their difficulties. In a January 2013 report, GAO auditors say they found a similar lack of business planning across government. The report traces the problem back to two documents that have guided the federal government’s cybersecurity efforts: the 2000 National Plan for Information Systems Protection and the 2003 National Strategy to Secure Cyberspace.

These documents identified essential goals and activities to pursue. What they did not do, however, was make a business case for those goals and objectives based on the risks being addressed and the relative cost of mitigating them.

“Many of the private-sector experts we consulted stated that not establishing such a value proposition makes it difficult to mobilize the resources needed to significantly improve security within the government as well as to build support in the private sector for a national commitment to cybersecurity,” the report states.

For ideas on how to make this work, agencies might look to the Department of Homeland Security. DHS received kudos from its inspector general for its approach to cybersecurity-related capital planning. In particular, the IG noted that DHS officials provided component agencies with guidance on doing their own capital planning “to ensure that each investment is successfully managed, cost-effective, and supports DHS’ mission and strategic goals.”