A group of public sector cybersecurity leaders, speaking on a panel Feb. 24 at the RSA Public Sector Day event, discussed the challenge of reconciling competing priorities when assessing both the business value and mission value of cybersecurity investments.
The resounding refrain from the panelists suggested that, while return on investment can be tricky to substantiate to mission owners—and to both internal and external stakeholders— establishing programs to evaluate risk and map solutions to distinct security problems is an excellent place to start.
“It’s no longer that we just have our own secluded budget in the Federal government for cybersecurity. Our dollars are at competition for things that we spend not only on cyber, but outside of cyber and even outside of IT,” said Department of Veterans Affairs (VA) CISO Paul Cunningham.
“Our regulators – OMB and IG – but also our senior leadership are really looking closely at where we’re spending our money, why we’re making those choices,” he added, noting this as a departure from set-aside budgeting processes of five to ten years prior.
He also highlighted further complexities – VA, for example, operates with “a budget about equal to a Fortune 10 company,” is the largest healthcare network in the United States, a financial institution dispersing $120 billion in veterans’ benefits, and a manager of nearly 25,000 acres of memorial land, Cunningham said.
So how do you fit cyber into a huge portfolio or citizen services, needs, and competing priorities?
Decisions are easy when cybersecurity converges with physical security, suggested State of Texas CISO Nancy Rainosek. She provided the example of affected SCADA systems whose compromise could impact the state’s ability to provide clean water to its constituents.
“When we’re looking at the local level, that’s the way we look at it – scope, criticality, and public safety,” she said. “When you can’t provide services to your customer because of ransomware or because of anything that takes out your IT, you’re failing to do your mission. So, my tenet right now is, cyber is part of your mission.”
The panelists offered multiple examples – Kevlar vests versus a firewall, or dispersing more veteran benefits versus buying a cyber tool – where the emotional response makes a fair and rational decision more difficult.
In these cases, strategic programs to evaluate risk and substantiate actual need become an important tool, suggested Department of Health and Human Services (HHS) CISO Janet Vogel.
Vogel described a department-wide enterprise risk management council, composed of HHS’ representative agencies – CDC, NIH, FDA, and the like – where stakeholders “sit together and look at the risk for the entire enterprise.”
“This year is the first year that IT security is recognized as risk, and I do sit on that council now with a vote,” she said. “When it’s relevant [to other internal stakeholders], it helps with those decisions about Kevlar vest or firewall, and what are they going to benefit from participating in this.”
Vogel also suggested an element of practicality and resourcefulness in purchasing decisions.
“Are we just buying a tool because it’s really great, and it could do something really cool we aren’t doing yet, versus leveraging the native and inherent capabilities of software that we already have,” she said.
Vogel added that, for something like machine learning, “we look in-house first, govern ourselves, and mix the old and new.”
Rainosek, whose office is responsible for evaluating statewide funding requests for cybersecurity, developed a methodology where project owners self-assess their risk. Rainosek’s office then prioritizes those projects – “like a magic quadrant” – which the state legislature then uses to inform funding decisions.
That speaks toward the prerogative of effective collaboration, a point crystallized by David Tillman, IT security and risk executive at the National Credit Union Administration.
Tillman, who has managed both an IT service delivery organization, and a cybersecurity organization, noted that those two IT departments can find themselves at odds. If IT doesn’t work, it’s cyber’s fault – or vice versa. In all of these conversations – aligning around a common vision can help move the ball forward.
“Partnership is the last key. We have to partner with those around us in order to get a full view,” he said. “I’ve found that adding that last key, that people-partnership aspect is very important.”
