Cybersecurity Economics in Government: Is Funding the Real Problem?

By Lindsey Patterson
Contributing Writer

When examining cybersecurity budgets, government leaders and financial advisors would be more effective if they applied basic value-management to their processes.

A recent breach exposed over 21 million Office of Personnel Management records involving federal employees. Much of this was personal information on staff with sensitive security clearances. According to government CIO Tony Scott, drawbacks in the federal funding plan were partly to blame.

Recognized Need

Cybersecurity is a pressing issue, even for the U.S. government. According to a GovWin report, federal demand for vendor security applications and services will grow to $11 billion by 2020. The struggle to stay ahead of international cyber threats is taking up a growing proportion of IT budgets in many national agencies. President Obama has proposed a $3.1 billion Information Technology Modernization Fund, but actual commitment has yet to be seen.

Both commercial and government organizations at every level are obliged to constantly evaluate and justify security budgets. Corporations and even small businesses around the globe are coming to regard their data as their most valuable asset, and take advantage of every new software and hardware security features to ensure that it's protected against loss.

Insurance for a business is determined by evaluating the level of risk, yet civilian authorities rarely take that perspective. Back in 2014, $786 million in federal funds was ear-marked for cybersecurity, yet we continue to hear about cybercrimes that are not only increasingly sophisticated, but extremely damaging.

Lack of Focus

The question arises that if the government is devoting more money into improved IT security, how could incidents like the above-mentioned data breach occur? Is the funding process so out of sync that it's squandering billions of dollars without fixing the problems?

It may be a matter of segmentation and isolation. Imagine a culture under siege where everyone has the same defensive goals, but no one is sharing resources or information. Each group, agency, or institution is primarily dedicated to maintaining its own secure data rather than cooperating for the common good.

A breakdown in communication between cybersecurity experts and funding sources is creating obstacles in both planning and executing strategies. A team of qualified IT security professionals may be able to see through the technical challenges, but not how to report them in a way that aligns with current missions.

This leads administrators and budget controllers to overlook key points because they simply don't have the expertise to prioritize the information that's presented. This creates a state of indecision where disaster is bound to happen because the proper measures were never implemented.

More Effective Dialogue

In order to eliminate communication barriers, all parties need to clearly understand the risks and goals. Organizational missions must also be defined in terms of critical data as an essential asset to achieving those goals. When different job roles are aligned with the same criteria and objectives, they can share information on what measures are most important to making progress and mitigating risk. The focus has to be on value management, not directionless use of technologies.

Cybersecurity teams need to provide effective conclusions to leadership outlining the advantages in a specific course of action, and how it fits into the overall agenda. Understanding the mission on a long-term basis is crucial. Both sides must also be aware of the potential loss in doing nothing. Successful cybersecurity tactics need administrator buy in, and that won't come unless leaders recognize the importance of IT security in reaching their goal.

Congress largely funds federal agencies for the purpose of maintaining IT systems, not expanding or improving them. Also lacking any IT expertise, funding committees assume that an influx of money will strengthen the existing infrastructure.

A lack of clear priorities and sharing of information leads to a culture of high costs, budget overruns, important projects that are never realized, and frequent oversights or misuse of funds. The OPM data breach was just such an example. Security initiatives that could have been accomplished in as little as a year were taking a decade or more because there were not enough committed funds to see projects to completion in a practical timeframe.

Today's hackers, in contrast, appear to be increasingly well-organized and informed. Their tactics are innovative and evolving. Government leaders tasked with countering new threats need to apply value-management concepts to the application of funds and the budgeting process. They could start by instituting policies and measures to accurately gauge security benefits.