Prioritizing IT spending through cyber risk assessments
Journal of Government Financial Management, Fall 2016
Changes and emerging trends in federal information technology make it critical for federal chief information officers and chief financial officers to work together to understand organizational challenges, and to collaborate on solutions to defend against evolving cyber threats—prioritizing their cyber preparedness in association with financial and mission-critical activities.
- What’s at risk?
- Diligent about managing cyber risk
- Considerations for improvement
- Meet the authors
What’s at risk?
Changes and emerging trends in federal information technology (IT) make it critical for federal chief information officers (CIOs) and chief financial officers (CFOs) to work together to understand their organizations’ challenges, and collaborate on strategies and solutions to defend against cyber threats. As federal agencies begin to move their operations to shared services platforms and continue to modernize their systems (e.g., retiring legacy systems, migrating to the cloud, launching digital services), allocation of financial resources and focus on cybersecurity spending become increasingly important given the threat environment, the necessity to understand the risks posed within that environment, and the imperative to invest in strategies to address those risks. In an effort to support agencies through this ever-evolving cyber environment, the federal government proposes increasing its fiscal year (FY) 2017 cybersecurity budget.1
Top five reasons federal financial managers should be diligent about managing cyber risk
- Federal agencies are not spending their resources efficiently; despite increasing budgets and spending, risks are not mitigated and attacks are not thwarted.
- Actual cyberattack and security breach recovery costs may exceed the budget.
- Protecting data (federal employee data, citizen data, and trade secrets) is a part of civic duty.
- Limiting taxpayers’ financial exposure is a part of civic duty (e.g., Office of Personnel Management's (OPM) data breach, which indirectly affects taxpayers and directly affects 28 million people).
- Federal CIOs are required to responsibly manage IT resources to be compliant with applicable laws or regulations, and to secure against cyber threats.
Cybersecurity is not a check-the-box exercise.
Considerations for improving cyber risk management practices
Sophisticated cyberattack methods, combined with widespread changes in the IT landscape, create greater risks for federal agencies. In addition to mechanisms and strategies currently in place, federal agencies should consider expanding their portfolio of solutions/procedures to manage increased and complex risks. To that end, enterprise-level risk mitigation across the full lifecycle of protection, detection, and incident response to achieve optimal security, vigilance, and resilience can be a challenge for many agencies. As such, it is critical for CFOs and CIOs to prioritize cyber preparedness along with financial and mission-critical activities. In an effort to address evolving federal requirements (e.g., the Federal Information Technology Acquisition Reform Act (FITARA)) and to keep pace with the demands of IT modernization while managing cyber risk, agencies should:
- Include a cyber risk assessment in support of an overall enterprise risk management (ERM) program;
- Confirm IT budget is reflective of the results of the cyber risk assessment and that training and incident response costs are incorporated;
- Improve employee training to increase awareness and keep-up with changes in technology and threat actors; and
- Develop an incident response plan, and conduct mock incidents to test the plan and improve resiliency.
Federal CIOs—working alongside CFOs and other agency leaders throughout the cyber risk assessment process—will have improved visibility and insight into cybersecurity threats and risks, and their potential impact on achieving agency objectives. This coordination and collaboration will also provide an increased understanding of agency-wide cybersecurity training and incident response requirements. It is imperative that CFOs, CIOs, and leadership personnel establish innovative and repeatable means to advance efforts in understanding and mitigating the ever-evolving cyber threats.
Copyright 2016 & 2017. Association of Government Accountants. AGA® and the Journal of Government Financial Management® are registered trademarks. Republished with permission. All rights reserved.
Meet the authors
Deborah Golden, a principal with Deloitte & Touche LLP, leads the Federal Cyber Risk Services practice and has 20 years of information technology, security, and privacy experience. She specializes in providing cybersecurity and identity and access management services to federal, life sciences and health, and financial services clients.
Rebecca Tyler, CISA, a principal with Deloitte & Touche LLP with 15 years of experience, specializes in IT strategy and governance—including enterprise cybersecurity strategy planning and execution, information security governance, and audit remediation, as well as IT risk management framework development and implementation. She primarily serves clients in the federal health sector.
Danielle Eucker, CISA, CIA, PMP, a senior manager with Deloitte & Touche LLP, specializes in risk management, business process and IT controls design and implementation, and internal audit. Her recent work includes cybersecurity strategy planning and implementation, and IT security remediation.
Joseph Meyers, JD, MS, Security+, CISSP, a senior consultant with Deloitte & Touche LLP, specializes in cloud-based, host-based, and biomedical device cybersecurity. He serves federal clients in the national defense, civilian, and health sectors.