How Federal CISOs Can Make the Most of Security Resources They Have

Patrick D. Howard, CISSP, CISM, Kratos Technology & Training Solutions, was lead author of this peer-reviewed article.

Federal chief information security officers seldom have all the funding and personnel they need to protect agency information assets. However, this situation should not be an excuse for failing to seek ways to improve their agency’s cybersecurity posture through efficient use of the resources they do have available.

Every CISO should be intimately familiar with the organization’s budgeting process and should strategically forecast and request the needs they have identified, fully recognizing that it may be several budget cycles before these requests are fulfilled. The CISO also needs to actively ensure currently available resources are used effectively. No matter how limited such resources may be, CISOs must aim to stretch them as far as possible to promote effective risk management. To achieve this, the organization’s CISO should consider the following approaches to identify available resources to manage risks to agency information assets:

Prioritize Risks and Apply Available Funding Toward Their Mitigation

One of the foundational elements of sound risk management is to value assets according to their importance to the organization’s mission and focus efforts on their protection. There is seldom enough funding to protect every asset, and even if there were, it would be wasteful to fully protect every asset to the same degree. Hence, CISOs should use a standard risk assessment methodology to value and rank information assets to identify those most critical information systems for priority implementation of security controls to minimize the risk of loss, denial or compromise. This approach will lead to the identification of lower risk systems for which the CISO might be able to recommend diversion of resources to higher risk systems to make the most of funding available.

Optimize Existing Capabilities

CISOs should make a concerted effort to identify and evaluate the native security capabilities of existing systems and security tools to determine if they can be used to address current risks. This exercise will need to be performed in concert with the IT operations staff, system owners and other responsible entities. Although vendors may recommend procurement of new security products to mitigate risks, the CISO should avoid chasing the latest “shiny object” and settle on the purchase of a new security capability only after having systematically evaluated the capabilities of products the agency already has in place.

Team with Internal Partners

CISOs should realize that all cybersecurity funding does not have to flow through the CISO’s budget alone. Protection of the agency’s information assets can and should be shared with other agency entities. Obviously, system owners should be budgeting for the protection of their own systems. But similarly, other agency offices should assume budgeting responsibility for portions of the cybersecurity mission. For instance, the CISO should pursue integration of cybersecurity training into the overall agency training function as fully as possible. Or, some information security controls requirements might align more clearly under agency privacy initiatives. Both of these examples may lead to more efficient use of limited cybersecurity funding.

Realign Cybersecurity Staff Tasks

Another area where resources may be used more efficiently is through realignment or reprioritization of security staff tasks. The availability of qualified and dependable cybersecurity staff is always a concern, so their employment is of utmost importance. Demands on the CISO’s staff may change rapidly and so may task priorities. Consequently, the CISO should continuously assess utilization of security staff to ensure alignment with the highest priority tasks. External data calls and initiatives, as well as internal risk-driven business requirements, call for dynamic prioritization of the labor effort to ensure the most efficient utilization of personnel resources. The CISO’s ongoing assessment of task priorities must emphasize the needs of the current mission over “well this is the way we’ve always done it” type of thinking. Realignment of personnel to address emerging requirements may include development of new skills among government and contractor staff. However, the costs and time to develop such new capabilities could be worthwhile by improving the utilization of personnel resources performing high-priority tasks.

Unquestionably, federal CISOs must be outstanding managers to be able to protect agency information assets in times of severe resource constraints. This requires strong financial management skills and mastery of their organization’s budget process. They must also be capable personnel managers who can make the most of skilled security personnel who are normally in short supply. CISOs must be diligent team players who can promote cooperation throughout the organization to optimize existing capabilities and integrate security efforts into broader agency processes and initiatives. Finally, agency CISOs must be effective risk managers who are capable of effectively employing personnel and funds to protect the agency’s most critical information assets as a priority.