In September 2017, the federal fiscal year ended. Congress is actively working on the approval of a budget based on recommendations from the President and Office of Management and Budget (OMB) to decide which budget requests to fund.
At the same time, agencies are currently submitting their budget requests for fiscal year 2019 to the OMB. This year, requests pertaining to cyber security will most likely be catapulted to the top, particularly considering the recent SEC hack coupled with a string of others – NSA, CIA, etc. – and increasing government regulation. However, this year's requests may, or should, take on a different focus than those of the past. Instead of solely focusing on technology (i.e. a request for a new firewall to block external bad actors), cyber leaders are turning their attention to risk.
The shift is mainly in response to the government pushing the adoption of cyber risk management programs. For example, the President's Cybersecurity Executive Order requires agencies collect and report metrics with an eye towards risk vs. simply technology. Agencies must assign an executive-level individual to submit the metrics to the Department of Homeland Security (DHS), who will then input them into a risk analysis system. In return, agencies will receive a cyber risk scorecard that includes gaps to mitigate. The order pushes the adoption of the NIST Cybersecurity Framework which requires conducting risk assessments, continuous monitoring, identifying the most impactful assets to the mission, implementing protections for those assets first, and more. NIST also released special publication 800-39 that is referenced by the framework which centers around managing information security risk by quantifying applications and understanding the mission impact if certain applications were compromised.
It is clear government leaders are sending federal cyber leaders a message – if you want your budget requests approved, jump on the risk management bandwagon.
It's a good bandwagon to be on for many reasons. The old way of managing cyber security wasn't working. Agencies relied on criticality scores to determine which threats and vulnerabilities to mitigate first, leading to a mad scramble trying to patch every vulnerability and follow up on every threat. Government cyber teams do not have the personnel, funds nor resources to try to fix everything. And even when they thought they were well resourced and funded to implement that approach, it proved to be an ineffective way of securing the environment. Hence, the OMB breach which was first discovered in 2015. Given that the OMB sets the budget, general requirements and regulatory processes around implementing regulation, when the agency itself was hacked, it was like the police department being robbed. The incident highlighted the fact that agencies were not being effective in securing their environment.
Trying to secure everything makes organizations ineffective at securing anything. The key is to focus first on the assets that are most important to the mission and prioritize the threats and vulnerabilities that put those assets at risk of a compromise. That's a risk management approach and the most effective way of securing an environment in a world where limited resources are simply a reality. It enables agencies to use their current resources to the fullest without having to add manpower or spread their current employees too thin.
So for this year's budget requests, those that get approved will most likely tie to how the investment will decrease overall risk. Through regulation and guidance, the federal government is shifting its allocation of resources towards reducing risk, which suggests risk management will be a strong guiding principal of cyber security programs going forward. As the OMB learned firsthand, managing security through criticality doesn't work, managing risk is a better approach.
As we wait for the approval of the FY 2018 budget and wrap up the request period for FY 2019, keep an eye on the cyber portion. If your request for a better insider threat management tool explained how the tool would minimize the overall risk to the organization, there's a good chance your request will be approved. If not, next time incorporate more risk management.