Does Money Equal Security?Labor Department CIO, Others Suggest Lack of Funding Weakens Information Security
Money equals information security, right?
Department of Labor CIO Dawn Leaf suggests it could, noting that funding at the department this past fiscal year for IT modernization fell by $4.1 million and was $15.4 million less than what President Obama's budget proposed.
"There most likely will never be enough money to put on the table to adequately protect the as-is-state that currently exists in many governments today."
"This lack of funding has directly impacted the ability of DoL to improve its IT security posture, including but not limited to the identity access management project," Leaf wrote to Elliot Lewis, DoL assistant inspector general for audit.
Leaf was responding to an audit by Lewis that showed continued weaknesses at DoL in access controls, configuration management and third-party and vendor oversight (see 3 InfoSec Woes Plaguing Federal Agencies).
Money alone, though, won't resolve the cybersecurity challenges that government agencies - or, for that matter, any organization - faces. But it can't hurt, either.
"Security costs money, particularly in environments that have been historically underinvested and saddled with legacy technologies," Chris Buse, CISO for Minnesota's state government, tells me. "When asked, what is the number one thing that can be done to further security in our environment, I always immediately reply, 'simplify and modernize our IT environment.' There most likely will never be enough money to put on the table to adequately protect the as-is-state that currently exists in many governments today."
But the lack of funding isn't necessarily the primary challenge government agencies face in securing IT.
"Rather, it is that we continue to spend scarce resources for measures that don't work," says Franklin Reeder, a former senior official of the White House Office of Management and Budget. "Budget stringencies often have a therapeutic cleansing effect, forcing organizations to focus on what is important and what works."
Indeed, agencies need to prioritize spending. "Other projects could be placed on hold to reprioritize security spending," says Patricia Titus, former CISO at mortgage lender Freddie Mac and security provider Symantec, who now serves on the board of advisers at the cybersecurity startup Morphick.
Titus says she sees a problem within the federal government, because the CIO typically develops an agency's IT budget, with security just one element of the technology spending plan. An agency CIO might have priorities that do not necessarily address IT security matters, she says. "This is the age old issue of the CISO's budget tied to the CIO," Titus says. "The government and other entities need to have a budget for the CISO distinct from the CIO."
Money Bolstered by Motivation
Still, even without bigger budgets, under some circumstances, agencies can enhance cybersecurity. Take, for instance, the recent 30-Day Cybersecurity Sprint prompted by Federal CIO Tony Scott. One of the sprint's objectives was getting agencies to increase the adoption of Personal Identity Verification, or PIV, cards as a second factor to authenticate federal workers logging on to government IT systems.
The results were impressive (see 30-Day Cybersecurity Sprint: Just a Start). During the sprint, Scott reports, federal civilian agencies increased their use of strong authentication for privileged and unprivileged users to 72 percent from 42 percent. The stats for increased use of strong authentication for privileged users alone were even more impressive, increasing to nearly 75 percent from 33 percent.
Yet, Scott understands that motivation alone won't solve the problem. Money helps. "At the same time, we need help from our partners in Congress," Scott says in a blog posting that discusses the sprint. "Decades of underfunding and years of uncertainty in budgets and resourcing for strategic and critical IT capabilities like cybersecurity have contributed to the current unsustainable state of the federal government's networks."