For better cybersecurity, be nice to your CFO

Instead of looking for the new hire or the next great tech to protect federal networks, agency cybersecurity officials could get more done by befriending their financial counterparts.


Nearly every federal employee, even those whose IT experience begins and ends at using a computer for work, is capable of contributing to the protection of U.S. government networks.

While CIOs and CISOs bring the expertise and experience needed to manage large IT enterprises, chief financial officers bring money and vision. Their control over an agency's budget requests and strategic planning process makes them gatekeepers whose support can often mean the difference between getting the necessary funding for critical cybersecurity priorities and simply making do.

"Why should I be collaborative with my CFO? That's where the money is," said Rod Turk, acting CIO of the Commerce Department at a May 1 event hosted by the Association of Government Accountants. "And frankly…if you start talking bits and bytes to your CFO, they're not going to understand. When they don't understand, guess what? You don't get the money."

A good CFO who understands what his IT colleagues need can break bureaucratic logjams, champion projects competing for limited funding and provide a whole-of-agency focus for critical cybersecurity initiatives. Mark Kniedinger, director of cybersecurity and communications at the Department of Homeland Security, said agency CIOs could benefit from the holistic viewpoint that CFOs have of their agency's operations and lean on them to effectively cut through red tape in a crisis.

"There are times that things need to move rapidly because of a major threat, so from that perspective, the CFO working with the CIO, taking a look at how things can be expedited in a more agile fashion, that's a key relationship," said Kniedinger.

Many conversations on improving federal cybersecurity often revolve around hiring and recruiting more cybersecurity talent or pining for tools like Artificial Intelligence, automation or blockchain to rescue federal agencies. However, senior federal IT and cybersecurity officials have spent much of the past year signaling that they lack the money, organizational flexibility and culture to close the workforce gap through human resource solutions.

In December 2017, acting federal CISO Grant Schneider said the government must focus on automation and other technologies, not people, to make a dent in the problem. Last week, when DHS Assistant Secretary for the Office of Cybersecurity and Communications

Jeanette Manfra was pressed by Congress last week for her thoughts on legislative proposals to encourage more hiring, she responded that the agency was trying to think differently about its workforce needs because "we can't meet the [personnel] demands with the current model."

Simply getting feds outside of IT organizations to think about their own responsibilities protecting their network and devices can pay some of the most immediate dividends. Kniedinger said a good chunk of his job is consists of communicating to agencies that "cyber is not just owned by the CIO or CISO. It's owned by the mission area, it's owned by everyone who has responsibility for data."