Federal CIOs are on the hot seat over cybersecurity after the revelation that the personal information of 4.2 million current and former federal employees was hacked. US Chief Information Officer (CIO) Tony Scott said this week that agencies need to rethink how they fund cybersecurity.
Scott said funding should not be an overall percentage of the IT budget, according to a report by Federal News Radio’s Jason Miller: “I think that’s the wrong way to think about security,” he said. “The right way to think about it is on a risk based analysis. We’ve got threats. We’ve got risks. Just like insurance, that has to be the equation when we are thinking about how much money we should spend on cybersecurity.”
How do federal agencies start building the business cases for greater assets to fund these programs not only today, but in the coming years?” The best way to justify return on investment in cybersecurity programs is the development of a business case through the Capital Planning and Investment Control (CPIC) process. Here’s how CPIC can kick-start the cyber budget process, reveal gaps in coverage and agency understanding, and help with forward planning.
CPIC Sets the Foundation
Even with the growing cyber threat, in this era of ever increasing financial pressure, agencies are being asked to defend their IT Portfolios and adapt new technologies in order to reduce their IT Spending. Cybersecurity teams must advocate for their programs and be able to defend the business case and the need for funding for development, implementation, and maintenance. That is accomplished through the CPIC process mandated by the Office of Management and Budget (OMB).
It will soon be September when agencies submit their IT Portfolios, including budget requests and initial BY17 business cases. Agency leaders and cybersecurity professionals should thoroughly review their IT portfolios and ask, “Do we have adequate funding to protect the agency from online attacks now and in the future?”
In a complex business and IT environment, the repeatable CPIC Process enables the Federal Government to control its IT funding and manage IT Programs. In layman’s terms the CPIC Process can be thought of as a three-legged stool – budget planning and implementation, program management and control, and management and oversight. Each leg is critical in order to support the stool.
Budget: The first leg is where agency budget staff sets aside the funding and communicates funding levels for current and future years to programs. They also submit the formal funding request as a part of the federal budget process.
Program Management: This second leg is at the heart of any program. The program manager establishes, executes, and controls the program baseline based on a clear understanding of the requirements and scope.
Leadership and Oversight: The third leg establishes and reviews an agency’s portfolio. Agency leadership will work with program managers and budget staff on the investments that will be submitted for funding. It is leadership that has final authorization on the portfolio and what is reported outside of the agency.
Portfolio Reviews Can Identify Potential Cyber Weaknesses
Cybersecurity professionals should ask questions such as: Are resources in place to ensure that these programs can operate in a high threat environment? Is funding in place to support current and future program requirements? This is more than examining last year’s budget to see how much was spent on cybersecurity and then allocating a nominal funding increase for future years. That is not effective planning and potentially increases risks to the programs. If the program needs are not in place, program professionals need to communicate this to leadership and budget.
CPIC Supports Forward Planning
CPIC was envisioned to be a process that links budget planning and strategic planning to a specific program and its performance. By leveraging the OMB Business Case, the output of the CPIC process, agencies have at their fingertips a multi-year budget plan, justified investment portfolio and business case, and efficient plan for resource allocation.
The beginning of the new fiscal year provides that timeframe for all three parts of the CPIC stool to engage and analyze the data submitted to OMB in early September. Doing so will make a stronger case for the cybersecurity programs that will be a major requirement for the future. Now is the time to ask and answer the question, “Does our agency’s IT program make the budget case to counter expected cybersecurity threats?”