If you are a cybersecurity leader at a federal agency, there’s a good chance you are putting together your last-minute budget requests for this fiscal year. The deadline for requests is at the end of this month, and this year’s budget “wish lists” may, or should, have a different focus. Whereas in the past, cybersecurity was viewed as an “all about technology” issue, due to the steady stream of guidance and regulation, in addition to the never-ending onslaught of breaches, cybersecurity has transformed into a risk management issue. And that transformation may shift the wishes you put on your upcoming lists.
The NIST Cybersecurity Framework and the President’s Cybersecurity Executive Order are two recently released pieces of guidance/regulation pushing this transformation. The NIST Cybersecurity Framework spells out risk management areas including conducting risk assessments, continuous monitoring, identifying the most impactful assets to the mission, implementing protections for those assets first, and more. In August 2017, the public comment period closed for additional NIST cyber risk guidance that offers a step by step process to enable agencies to identify the most critical systems and applications that must not fail or be compromised, a big step in enabling agencies to approach cybersecurity from a risk based standpoint.
While the NIST Cybersecurity Framework is voluntary guidance, portions of the budget are being tied to key concepts outlined in both the Cybersecurity Framework, NIST special publication 800-39, and the President’s Cybersecurity Executive Order. The order, unveiled in May 2017, touches on everything from the need for an agency-by-agency risk assessment to dealing with outdated infrastructure, botnets, and driving a cyber-educated workforce. With the NIST guidance as the centerpiece, the order gives government CISOs an opportunity to rally the troops across their agencies to initiate a cyber risk management process with a mindset of continuous compliance, shifting the mindset of all functions to thinking daily “is what I am doing putting my agency’s data and systems at risk?”
More recently, in July 2017, as part of the order, all federal agencies were required to submit a Framework Implementation Action Plan as well as a set of metrics that show how they are protecting their most valuable information assets from cyberattacks and breaches. While agencies have always had to submit IT security metrics under the FISMA requirements, this year the metrics shifted in focus from the bells and whistles technical aspects of their cyber security programs to risk management. For example, agencies will need to report metrics tied to the value of applications and systems that host those applications.
Along with this risk focused transformation, pushed forward through guidance and regulation like the NIST Cybersecurity Framework, NIST special publication 800-39 and the Cybersecurity Executive Order, budget wish lists must shift their focus as well. Cyber leaders must demonstrate that what they are asking for aligns with this new risk-based model. For example, instead of requesting a new firewall or other piece of technology, cyber leaders should spell out how that new technology will enable them to reduce risk to their most critical assets. Instead of asking for user and entity behavior analytics (UEBA) tools, they should describe the problem UEBA would solve in terms of risk. For example, “I lack visibility into the people who are accessing our most mission critical assets every day. I don’t know how they are behaving on the network, and therefore cannot flag if someone is putting our mission critical assets at risk. That’s why I need UEBA.”
While it is helpful for cyber leaders to tie their budget asks to compliance with the risk-based frameworks and regulation, it’s more important they tie them to continuous security. If their first objective is security, compliance should follow. It’s not the same the other way around.
So, if you’re putting together that last minute budget wish list, think risk. Ask yourself, “What do I need that will help me identify and protect those assets, that if compromised, would impact the mission the most?” And then enable those in charge of approving budget spends to view your requests with a risk based lens.