8 tips for better security on a tight budget
Connecting state and local government leaders
CISOs must develop strategies to cope with limited, or even reduced, funding in the face of evolving threats and continuing regulatory and legislative mandates.
There is little argument nowadays over the importance of cybersecurity within the federal government. Nevertheless, chief information security officers rarely have all the funding they need for the products and services necessary to provide mature cybersecurity programs.
Consequently, CISOs must develop strategies to cope with limited, or even reduced, funding in the face of evolving threats and continuing regulatory and legislative mandates. CISOs should consider the following approaches for keeping agency information secure when resources are tight.
(Listen to an (ISC)2 podcast on doing more with less here.)
1. Increase efficiency.
Declining resources bring the need to increase efficiency in security processes sharply into focus. The CISO should strive to develop and document processes such as reporting under the Federal Information Security Management Act (FISMA), Plan of Action and Milestones tracking, vulnerability scanning and controls testing to maximize efficient performance. This could save money through automation, which can reduce the labor involved in task completion, or allow you to employ less-skilled personnel. Obviously, integration of security-related processes into the system development life cycle is another highly effective way to efficiently implement security. Additionally, increasing the efficiency of processes may permit modification of existing services and contracts to permit their performance by less-skilled, but more affordable, personnel.
2. Educate yourself on the budget process.
The CISO will be well served to have a ready knowledge of the budget formulation process and schedule, and employ trained personnel to monitor and track budget submissions. The ability to respond on short notice to funding opportunities as they arise is of paramount importance, especially at the end of the fiscal year. The CISO should strive to establish a close working relationship with the chief financial officer and the CIO to ensure that cybersecurity funding requirements and priorities are both articulated and understood.
3. Evaluate the budget.
When funding is tight, the CISO must review his or her cybersecurity program budget from the perspective of the agency mission and strategic plan using risk management principles. This will ensure the budget is used to procure products and services that support mission-critical efforts. The CISO must scrub the existing budget to validate each of his or her initiatives and each purchase according to cybersecurity program priorities, and know how each dollar helps achieve those objectives.
4. Plan for funding shortfalls.
Irrespective of the urgency or criticality of agency cybersecurity requirements, the CISO must adhere to the agency’s budget formulation cycle. In other words, funding is not always available when it is most needed. Consequently, the CISO must document and prioritize unfunded requirements as a contingency when funding becomes available. The CISO should also understand that the CFO will require assurance of expedited obligation of this type of funding.
5. Consider funding alternatives.
The information security function in government agencies provides services to its customers in the form of compliance and oversight activities, controls assessments and testing, planning services, vulnerability scanning and the like. When funding is at a premium, CISOs might consider cost reimbursement for any services they render to system owners and their other customers. The CISO can remind system owners of the provisions of FISMA and their responsibility for securing the information systems they own. Additionally, it may be possible to convince managers of other organizational elements to provide funding for particular cybersecurity needs. Necessary security solutions that support the enterprise may belong to the IT operations organization, which might be persuaded to assume responsibility for their purchase and implementation.
6. Emphasize common controls.
The CISO should seek to maximize the use of common controls such as secure configurations for all IT items purchased before deployment across the agency to reduce implementation costs, as well as to reduce the time and effort required for their documentation, monitoring and assessment for effectiveness.
7. Engage management.
Effective management support is crucial in a tight budget environment. The CISO must ensure that the agency head, CIO and other senior executives are aware of the impact of limited funding on the cybersecurity program and, in particular, how it will affect the management of risks to agency information and information systems. From the CISOs’ perspective, there is always much to be done to develop, implement and maintain an enterprise information risk management program — and they must do everything in their power to ensure that senior management perception of risks matches their own.
8. Retain cybersecurity personnel.
Because reduced budgets are often accompanied by hiring freezes, CISOs must work hard to retain cybersecurity professionals who may be tempted to seek employment elsewhere. Alternative work schedules and work locations, including telework from other geographical regions, should be considered to enhance employee job satisfaction. Additionally, CISOs could benefit from personnel assigned to other agency offices by means of details and informal rotational assignments. If hiring is restricted, the use of contractor personnel to fill vacancies can also help the CISO maintain critical capabilities.
Today, operating with constrained resources has become a way of life for government CISOs. No matter how important cybersecurity is to an organization, consistent management support is not guaranteed, and prior-year budget levels cannot be assumed. CISOs must prepare themselves for doing more with less in the face of increasing cyber threats through the application of practical approaches within an enterprise information risk management framework.
NEXT STORY: The false cries and fog of 'cyber war'