The inability of IT leaders to hold people accountable for their actions has long been a challenge in the federal tech community and remains one of the biggest barriers to implementing robust risk management governmentwide. In fact, federal cybersecurity is essentially a risk-management issue. Effective risk management is hindered, however, by fragmented and non-empowered governance.
Although Congress made strides in the early and mid-2000s to enhance information security governance through legislation, specifically the Government Information Security Reform Act of 2001, the Federal Information Security Management Act of 2002 and the Federal Information Security Modernization Act of 2014, the laws did not fully address the nuances of risk management and cybersecurity governance.
“Governance is centered around accountability, and the ability to hold people responsible for not doing what they’re supposed to do or purposefully neglecting their responsibilities,” said Bruce Brody, Director at PricewaterhouseCoopers (PwC). “The chief information officer and chief information security officer are usually unable to hold officials in their department accountable because of governance fragmentation.”
CIOs and CISOs usually do not have as much clout and visibility as other agency leaders, particularly those who have dedicated budgets to oversee. But that is gradually changing, thanks to provisions in the Federal Information Technology Acquisition Reform Act (FITARA). The law requires that CIOs be empowered to review and approve IT spending and root out waste and duplication in IT budgets. Ensuring CIOs have the clout they need to carry out these duties is key to establishing strong governance. When IT leaders are empowered to hold people accountable for their negligence or inattention to duties, they can better identify and address the risks associated with those actions.
“The question is how CIOs and CISOs will marshal emerging tools that their agencies want to buy and how to manage them under a solid governance program,” Brody said. “That includes capabilities such as the Continuous Diagnostics and Mitigation (CDM) tools being rolled out by the Department of Homeland Security.”
When IT leaders make decisions about where to invest their cybersecurity dollars, whether on tools or personnel, they must consider how that funding will help reduce security risks. It’s impossible to eliminate all risks, especially when humans are involved, but agencies should make a concerted effort to assess the level of risk, how to mitigate it and whether there are options that provide the same results but introduce less risk.
That’s not all agency leaders should consider when developing a sound governance plan. They have to ensure a solid security architecture is in place. This evolving architecture and framework should guide how information security systems and practices work together to accomplish an agency’s mission. Having a strong framework that defines processes and procedures for implementing security policies is also key.
“If CDM, a solid and enforceable set of security policies, a strong security architecture, FITARA [Federal Information Technology Acquisition Reform Act] and similar tool are properly employed by the CIO and CISO, these things can begin to help them get their hands around the problem of governance,” Brody said.
But tackling this ongoing issue takes time and commitment at all levels of an organization. “Consider that IT leaders are balancing their daily responsibilities, long-term goals and tight budgets”, noted Dave Bowen, Managing Director at PwC. “They’re also working to change the hearts and minds of colleagues and senior officials who view investments in security as insurance — something that’s nice to have but not a necessity”. Governmentwide, there is a natural tendency to invest in things that are consistent with the mission, and security must be one of them. In fact, security must be an enabler of an agency’s mission.