Most federal agencies continue to experience weaknesses in protecting their information and information systems. Given the security vulnerabilities facing the federal government, it is important to ask 1) How much should we invest in cybersecurity programs? and 2) Perhaps more importantly, what should we spend it on?
“We have had a train wreck coming,” former NSA director Mike McConnell said in a New York Times article examining the aftershocks of the agency’s recent security breach. The greater emphasis on cybersecurity in the FY 2018 federal budget means that more than $20 billion in unclassified cyber program investments is hanging in the balance according to the Taxpayers for Common Sense. Therefore, answering the question of how much and where to invest involves a critical resource allocation decision for each agency. Finding the optimal level of investment in cybersecurity will be key.
The Office of Management and Budget provided further details and insight on the significance of the budget emphasis on cyber: “For the first time, this budget includes discrete cyber program investments that align budget resources with the National Institute of Standards and Technology (NIST) Cybersecurity Framework. This will enable the alignment of budget, risk, and performance data in a consistent way across all federal agencies.”
However, as the federal government returns to work after a partial shutdown for the second time since 2013, agencies are faced with the daunting task of operating under a fourth stopgap funding measure. Without a final budget for the year, agencies will continue to operate in a constrained environment with little flexibility to begin new programs or terminate existing ones.
With more than $1 trillion of discretionary spending hanging in the balance in FY 2018, leaders have expressed frustration with the lack of progress. According to Chairman of the Joint Chiefs of Staff Gen. Joe Dunford, “We want to be good stewards of the taxpayer dollar, and in order to do that, you’ve got to lay out a plan.” He recently said, “sometimes when you’re forced to spend all the money in a compressed period of time at the end of the fiscal year, it isn’t necessarily as efficient a use of the resources as you’d want it to be.”
When building an organization’s cybersecurity investment strategy, we recommend an economics-based framework grounded in a straightforward analytical model that considers a broad group on information security breach functions.
Use the following 3 A’s to find the right level of investment:
Analyze potential losses. The first step is to consider what the organization stands to lose if cybercriminals breach its defenses. Public-sector organizations that are responsible for maintaining large databases of individuals’ personal identifying information, for example, stand to incur significant costs to repair a breach, compensate individuals for their stolen information, and restore the organization’s reputation. Earlier this month, DHS notified more than 246,000 current and former employees of a personal data breach after an eight-month investigation. Only two years earlier, a similar cybersecurity breach at OPM affected as many as 4 million people. Experts estimate the OPM breach may cost taxpayers as much as $1 billion over the next decade.
Assess the probability of occurrence. With multiple investigations into breaches stemming from former employees and contractors, the NSA is facing a series of new external threats from rogue groups that have resulted in stolen cyberweapons used in a worldwide crime spree. In an era of digital transformation, no organization is immune. However, not all organizations are facing the same threat level. Therefore, how likely is a breach at the organization? What is the organization’s current cybersecurity posture relative to its digital assets? What is the greater concern? External forces? Or internal ones?
Allocate resources appropriately. Finally, conduct a cost-benefit analysis to identify how much certain cybersecurity investments will cost and how much the organization stands to gain from their implementation. When the expected benefits exceed the expected costs, it supports the decision to make additional cybersecurity investments. The optimal level of cybersecurity investment is at the point of costs/benefits equilibrium.
Federal decision makers recognize the need for robust investment to empower agency cybersecurity teams and transform their security posture. As recent breaches into government and corporate data sets show us, the consequences of failing to protect digital assets are severe. However, not all organizations are created equal. Because one size does not fit all, creating a tailored plan to meet the needs of your organization will ensure the highest level of defense while also providing the highest level of value to the taxpayer. Using these three practical steps, every federal decision maker can make smart choices about investing in cyber programs.
Jeffrey M. Voth is president of Herren Associates in Washington.