FCWPerspectives
   22
July/August 2018 FCW.COM
and bottlenecks at the agencies, but if we can say we’re bringing in a team of five people to help you with it, you won’t have to pull your engineers off another priority project.”
One executive argued that “agencies have a responsibility to try to stream- line this internally as much as they can. Obviously, we need leadership support all the way to the top. We also need to have close interaction and partner- ship with our operations folks because security and operations — from the very beginning of time when security became a real discipline — have never really worked closely together. CDM is kind of the bridge that we need to help do that.”
The group agreed it’s a delicate bal- ance. With Phase 3, one said, “you’re bringing the network back in. The net- work integration with security is some- thing that the agency leadership cares about and our CFO conversations are very much about. But I have to make sure the agency continues to perform its mission. You can’t take my network
down. I understand security is impor- tant, but I need sane security for the things that need to be done.”
Another participant said that “the problem is tougher in some ways but also easier in some ways because the goal in Phase 3 and Phase 4 is pro- tecting the network and the data. It is no longer just reporting to a dash- board. The dashboard gives awareness of where you need to focus, but it’s about protecting your crown jewels, which are the data and the networks that transport that data. And I actually think that’s going to make our lives a bit easier with that dialogue with the network folks because now we’re working toward a common, shared purpose.”
Budgets and leadership buy-in
Despite the frustrations and concerns, many participants said they believe CDM holds tremendous promise.
“I’m a firm believer in what CDM has to offer,” one executive said. “It’s a real, rare opportunity we’ve never
had to actually get out of this world where everything is paper based and transform the government into that ongoing authorization and that ongo- ing assessment.”
One question, though, is clear: How do IT leaders discuss it in a way that CFOs can understand?
A participant referenced the earlier conversation about security and opera- tions and said, “We’ve got to get these tools tied in at the operational level. We’ve already seen that once the tools are starting to be used for operational purposes, for understanding inventory and understanding what software we have installed, it starts to transform the conversation within the agency.”
“Originally, I was moving from com- pliance to cyber hygiene,” another said. “Now we’re looking to get holistic capabilities across the agency to be able to respond to a threat. And that’s going to take more than just this com- pliant piece or this single module. It’s a more complex understanding of what the threat is and what the needs are.”