What's on Your Cybersecurity Wish List?
When creating budget requests, cyber leaders must ask how a purchase enables risk reduction.
It’s that time of year. With the government fiscal year ending, agency leaders are pushing through their last-minute budget wish lists. A core part of those wishes either does or should relate to cybersecurity. As the steady stream of data breaches continue coupled with an increase in cybersecurity regulations and guidance, such as the National Institute for Standards and Technology’s (NIST’s) cybersecurity framework, the President’s cybersecurity executive order, and the Federal Information Security Modernization Act, government cyber leaders must effectively make their case for more budget. So, what should they be doing to make their wishes come true? The answer is in one short word: risk.
The President’s Cybersecurity Executive Order pushes agencies to build cybersecurity programs using a risk-based approach. That means identifying the “crowned jewels,” those systems and applications that would impact the mission the most if compromised, and prioritizing the protection of those assets first. The president has already tied the cybersecurity portion of the budget to adopting this risk-based strategy. His executive order, which focuses on the NIST Framework for Improving Critical Infrastructure Cybersecurity and its Risk Management Framework, spells out six direct areas. They include:
- Categorizing information and systems based on the potential impact to the organization and its ability to accomplish its mission, protect assets, fulfill its legal responsibilities and maintain day-to-day functions.
- Identifying all information types processed, stored or transmitted by these systems.
- Implementing a risk-based process for selecting the security controls necessary to satisfy the minimum security requirements.
- Ongoing monitoring of security controls and the security state of systems, which includes understanding threats, vulnerabilities and security control effectiveness.
- Integrating an organizationwide program for managing information security risk.
- Conducting risk assessments of federal systems and organizations.
Like most objectives set forth by private and public-sector organizations, the mandate must come from the top. For cybersecurity, that’s now the case, which is why when creating their budget requests, cyber leaders must ask themselves how a purchase actually enables cyber risk reduction. To break it down even further, if they are looking to make investments to combat insider threats, they should collect information about how user and entity behavior analytics (UEBA) technology reduces risk surrounding insider threats. If they are looking for technology that enables them to better prioritize vulnerability remediation, they should align the request to the vulnerability management guidance set forth in the NIST framework.
Based on what I have witnessed when working with federal agencies, many have started the process of thinking and speaking risk. However, I have yet to see an agency that has fully implemented a risk-based cybersecurity program.
So, when writing budget requests, ask these questions:
- Where are my most important systems and applications, those, that if compromised, would damage our mission the most?
- What are the threats and vulnerabilities that could compromise those assets?
- Which of those assets are most at risk?
- Which protections are in place for those assets and are they configured properly?
- What do I need to invest in to better protect those assets?
Those types of questions align with the risk-based mandates from the top, and as such, will make budget wishes a reality.
Thomas Jones is a federal systems engineer with Bay Dynamics.