FCWPerspectives Cybersecurity
 the right way
Agencies have no shortage of mandates and top-down guidance, but true risk management starts elsewhere
Of all the government’s challenges on the cybersecurity front, getting the attention
of top leaders is not one of them. Indeed, with so many mandates being given, agency officials can be forgiven for wondering which top priority to tackle first.
FCW recently gathered
a group of IT security
leaders from across government to discuss how they bring organization
and prioritization to their many cybersecurity efforts. The discussion was on the record but not for individual attribution (see Page 24 for a list of participants), and the quotes have been edited for length and clarity. Here’s what the group had to say.
It takes more than a mandate
Unanimity was rare in the 90-minute conversation, but the participants agreed that top-down requirements on their own can’t change the government’s security posture.
“Anyone who has raised children knows that mandates don’t work,” one executive quipped. “It doesn’t change any large organization. It has to be that agencies have internalized with their mission that cyber is important.”
Another said public scorecards increase the compliance pressure on agencies. “Even though we’ve had the mandate for quite a long time, we still weren’t able to break through with what we needed to implement it,” the official said. But since being called out for poor scores, “we have shown tremendous progress toward getting things done.”
A third official pushed back on that, though, asking: “But how does that influence your funding? Literally, even if I scored an F on every part of my scorecard, I will get the funding that I need. Nobody’s pulling the rug under your feet right now.”
Most participants said the real pressure comes from the escalating cyberthreats their agencies face. “We have a very strange dynamic,” one said. “Inherent organizational inertia is coming head to head with a security tempo that’s forcing government to change.”
“I think we have no choice,” another participant said. “The
adversaries are not going to say, ‘OK, we’ll give you time.’”
Buy-in vs. budget
Most participants said their agencies have truly internalized the importance of cybersecurity. “We’re finally past the point of trying to convince people that security is important,” one official said. “I am in the secretary’s office at least two or three times a month. So we’ll never have enough resources, money, people, but we are now at the point where it’s starting to be the first conversation that’s being had.”
Others agreed that the focus doesn’t often turn into funding. “If I had to define buy-in by budget, I’d probably say no,” one executive said. “If I define it by understanding, I would say, ‘Yes, of course.’”
And although acquisition rules and contracting officers tend to be cast as obstacles to almost any IT initiative, the group said those are not the problems with cybersecurity. As one participant put it, “The mechanism is there.... Wonderfully, acquisition is not the excuse anymore.”
Another said the problem more often is that program owners don’t want security costs to come out of their budgets, adding, “One of the things we keep missing the target on is that the security isn’t built in right from the beginning.”
“It’s coming to hurt us at the end,” another added. “We are going in and doing test after test after test without
 22 September/October 2018
FCW.COM