six months in each one of these cat- egories in the framework.’ This is the maturity that we are measuring.”
Such accountability is also encour- aging collaboration, another partici- pant said.
“There are some efforts going on now where several of the departments are coming together at the CISO level to actually sit down and talk about common ways that we can solve some of these problems,” he said.
“There are varying levels of security maturity when you look at some of these initiatives,” the executive added. “Those agencies that are more mature have some significant lessons on how they do this. I want to see what they are because, frankly, I don’t want to have to relearn them. And on the con- verse, if somebody else needs the ideas that we’ve already worked through, we’re more than happy to share those.”
Another participant said the differ- ent initiatives — IT modernization, the president’s management agenda, data center optimization and other cross- agency priority goals — are increas- ingly coming together as a coherent set of components for the broader mission of cybersecurity.
“I like the idea that we’re getting all levels of input on this,” he said. “I think it does raise the level and turns up the heat a little bit for the CISOs and the
CIOs. But the benefit to that is that you get the interest level from the top.”
Making the budget case
Buy-in, however, is not the same as actually having the dollars with which to buy. “This is the question of the ages,” one participant said. “What is the value of one more dollar of cyber- security spend?”
He added that “it’s almost like proving the negative, trying to defend your cybersecurity dollar. It’s an insurance policy, and trying to sell that insurance policy is often very, very difficult.”
“I don’t think everything’s a dollar- based decision anyway in this world,” another participant said. “That’s part of the challenge. A lot of these risks that we see could be existential to your organization, and there’s no amount of insurance that you can purchase to thwart that risk.”
Another participant, however, cited economic research that suggests a 1 percent increase in new IT spend- ing generally results in a 5 percent decrease in security breaches. “So you can communicate that pretty easily to your CFO without having to reinvent those metrics,” she said.
And with IT modernization still an unfunded aspiration, improved secu- rity is going to have to be paid for by
the programs themselves, participants agreed.
“I think you don’t have a choice,” one executive said. “Whatever assess- ment you need to do at the end of the day, you budget for that right upfront in the program. If you’re doing agile development, you create standards of what you want to be doing, and you hold the program accountable to the standards.”
Such an approach not only sources dollars, he said, but also saves them while incorporating security at the beginning, where it belongs. “You’re paying for it right upfront in the pro- gram, and it’s not an add-on so you don’t have to go back later,” he added. “It’s done and it’s completed — and it’s a lot cheaper.”
The need for speed
As those last points suggest, the group viewed DevOps as a critical tool for breaking the cycle of outdated and insecure systems.
“There’s been a lot of good strategy with respect to what you can do for cybersecurity,” one participant said, “but the speed of implementing has been so, so slow that as a result, the risk changes before you can get that strategy in.”
“Somehow we forgot that time is important in the work we do,” another
September 15, 2017 FCW.COM 31
KHARRY WOLINSKY