Federal cybersecurity is a financial issue
In many ways, it is a difficult time to be an IT leader in a federal agency. Budgets are tight, yet the IT services that agencies are expected to provide continue to expand and diversify. At the same time, cybersecurity has become a critical issue for every department. The number of cybercriminals and hackers around the world is growing, their techniques are becoming more sophisticated and federal agencies are widely seen by these threats as possessing valuable data worth targeting.
But while many observers now largely appreciate the importance of federal cybersecurity as a national security matter, they frequently overlook the fact that these efforts can also have a financial impact. As Federal Times contributor Kevin Smith recently asserted, federal IT leaders should focus on cybersecurity's business case in order to secure the resources they need to fully protect their agencies.
First and foremost, Smith argued that the federal government as a whole needs to acknowledge that its current approach to cybersecurity is insufficient. He pointed out that there were more than 46,000 cybersecurity-related incidents last year, and this year's tally will quite possibly be even greater. Only by dedicating more resources to cybersecurity can federal agencies hope to curb this trend and better protect the country's public sector data.
Yet as Smith noted, it is very difficult for IT leaders to get ahold of these greater resources. Federal leaders who determine agency budgets are difficult to sway, even as they generally recognize the importance of cybersecurity.
The writer asserted that focusing on cybersecurity's business case can overcome this hesitation. By building a business case via the Capital Planning and Investment Control process, Smith explained, IT leaders can effectively defend their portfolios and demonstrate how a better investment now can lead to IT cost savings later.
"Agency leaders need a full understanding of their business environment to include the organizational missions, portfolios, architecture, capabilities, resources and constraints so that they can make hard decisions if resources need to be reallocated," Smith wrote. "They must understand the cybersecurity universe, not only within the federal sector, but to the extent possible how the private sector is planning and budgeting to meet online threats."
When agency decision-makers gain a better sense of how private sector organizations are approaching cybersecurity, they will be more likely to understand the financial value that the government will see by increasing its investment in this area.
Making the most of what they have
However, while making a business case for cybersecurity can help agency leaders to justify and obtain greater spending for their data protection efforts, the fact remains that IT personnel will never have all of the resources they would like to possess. Even the most well-funded agency's IT department will need to adopt an approach that emphasizes maximizing benefits while limiting costs.
This state of affairs represents one of the key reasons why a third-party cybersecurity firm can prove so valuable for federal agencies. A high-quality consulting company can help federal agencies to identify inefficiencies and shortcomings in their existing cybersecurity posturing, as well as guide the development of more effective strategies and policies.
This last point is particularly important. One of the biggest shortcomings in many organizations' cybersecurity efforts is insider behavior. Whether at a private sector company or public sector agency, employees will frequently engage in risky behavior that endangers the organization's network and all its digital assets. A third-party cybersecurity firm can deliver training and superior policy recommendations that cut down on the types of employee behavior which can create vulnerabilities for cybercriminals to attack.