How Audits Can Increase Infosec Budgets
Exposing Vulnerabilities Helps Justify Need for More Money
Mike Brown and Amry Junaideen, senior manager and federal cybersecurity leader, respectively, at the business consultancy Deloitte and Touche's federal technology practice, explain that all-in-all cybersecurity is so intertwined throughout all parts of an organization's mission that's it's impossible to ignore the idea of strong security.
"If CISOs and other people who are responsible for this can truly tie [security] to the mission ... they've got a higher likelihood that their budget cuts will not be as significant as somebody else who might actually view security as being something that has to be done," says Junaideen, in an interview with Information Security Media Group's Eric Chabrow (transcript below).
And with tights budgets, any extra bit of funding helps.
Another aspect of educating non-IT leaders on information security concerns is putting it in business terms. "You have to try to make them see what the threat is and what the results are of those threat scenarios, and what it does to the business," Brown says. "If you're talking to the [chief financial officer], you've got to be able to translate what it is you do into terms the CFO could understand."
Chief information security officers and other security managers, in the end, need to employ marketing tactics to make sure that they have packaged the value of security so that senior executives in government can see the value and keep the funding flow going, Junaideen says.
In the interview, Brown and Judaideen emphasize:
- Tying increased funding to the success of the organization's mission by reducing risk;
- Educating non-IT managers and executives about IT security by explaining in business terms how the lack of increased IT security could adversely affect the business;
- Not leaving anything to chance by creating an information risk management framework that shows the need for security to promote the organization's objectives.
Before a stint as CISO at the Federal Aviation Administration, Brown served as the chief information officer at the Army National Guard. A retired Army colonel, he served as the director of the Army's information assurance office and oversaw the vulnerability analysis of all weapons systems that supported the service's first digitized force.
Amry has more than 20 years of experience serving a wide variety of multi-national clients and leading global teams on many risk management and information technology related projects. He has been a principal at Deloitte and Touche for more than a decade.
Budgets: Best Bang for Buck
ERIC CHABROW: Money is tight everywhere. How should chief information security officers get the best bang for their buck?
AMRY JUNAIDEEN: I think that's a great question and a question that's being asked by all of our CISOs in the federal community. I want to take us back just for a couple of minutes to what the private sector experienced about 3-4 years ago in the throws of the recession. They were faced with the same question, which is we need to manage risk. We need to achieve compliance and we need to do it with less - less resources, less money. I think there are quite a few pages from that book that federal government and its agencies can actually take, but fundamentally it involves using a sound risk management process. I know that a risk management process could mean a lot of different things to a lot of different people, but quite simply put, and we can get into the details later, it's really about knowing where your assets are and truly understanding what's important in order of impact, complexity, brand, reputation and all of that. Have a process in place to make sure that those things that are most important are taken care of first, because I often say if everything is in focus, nothing is, and I believe that a fundamental and thorough risk management process is fundamental to achieving this concept of more with less.
MIKE BROWN: As a former CISO, living in a resource-constrained environment for me wasn't really anything new. We were always facing shrinking bottom line-type budgets and having to do more with less. But what I found really helpful in the operation that I ran both in the Army and in the FAA was to understand what the core of business is for the agency or department that you're associated with, and then trying to see what it is that I did that really supported that core business.
What that drove me to do was to get a better understanding, a good understanding, of exactly what applications, what systems, made up and supported that core business. I had to do a really tight look at asset management, applications, software and systems, then kind of do a rack-and-stack as to which ones were critical to the business and which ones were less critical to the business. Once I did that, then I was able to go through the C&A (certification and accreditation) work and be able to determine where the high vulnerabilities, moderates and low vulnerabilities were. That's kind of where I put the emphasis on, but then I also had to step back and take more of a comprehensive look to try to understand the landscape around the vulnerabilities, because what I found was that a lot of times you could mitigate one or two vulnerabilities at a higher level and therefore remediate multiple vulnerabilities that were popping up in other systems, and thereby not have to spend those dollars fixing each individual system but bringing it up to a higher level and then fixing one or two, and then the whole system benefited from those.
Common CISO Errors
CHABROW: I'm assuming a lot of organizations are doing risk management assessments. If they aren't, then I guess they're in a lot of trouble. Amry, you said something that was interesting, that everything should not be in focus. That suggests that maybe CISOs or other people are doing too much in trying to determine what their IT security challenges are. What are some of the things, with good intentions, CISOs and others are doing but shouldn't be doing in determining their risk?
JUNAIDEEN: I think they're quite numerous, but if I can focus on just a couple, one is I believe that some CISOs, in at attempt to try and satisfy every single compliance requirement and every single checklist out there, sometimes ... might duplicate work. If you use a simple concept of "test one, assess many," I think that this is a simple paradigm that a lot of CISOs don't understand. You've got activities that take place inside the CISO's organization and beyond, because there might be assessments being done by other parts of the organization, maybe it's some kind of an internal audit-type function or it might be the CIO organization, etc. There might be multiple risk assessments and processes that basically are duplicated, really trying to accomplish the same objective. One of the worst practices that I've seen is the huge amount of duplication.
The second thing I have seen is the tremendous amount of paperwork and busy work, and reams of manuals that ultimately don't help achieve the objective of reducing risk. I think that CISOs need to flip the switch and basically say, "How can I actually focus on things that are most effective? Also, can I use more technology to be more effective, by which I can identify risk, assess it and very quickly adopt the new paradigm of continuous monitoring to make sure that once I know what risks I'm trying to work with, do I have the technologies in place and the processes in place to make sure that I'm continuously monitoring my risk environment vs. simply going through the process of satisfying the auditor or satisfying somebody else purely from a compliance perspective?"
Satisfying the Auditor
CHABROW: Is there too much concern about satisfying the auditor? We've heard a lot in the past year about moving to continuous monitoring and that the Federal Information Security Management Act compliance really doesn't mean much. You're checking things off. It doesn't actually show that you're securing your systems. Doesn't it in some ways hurt the ability of organizations to effectively and efficiently use the least resources to secure their IT?
BROWN: Actually not. What I found in the Army was that as I started to build the Army's program, I was actually joined at the hip with the Army Audit Agency and it provided me a lot of benefit to be able to get into areas that had I not had auditors with me, I wouldn't have been able to get into. At the FAA we were constantly getting audited by the Government Accountability Office, by our Department IG, and really even though it may sound kind of harsh that was really a benefit because I could use then the reports that I got from that, which were independent evaluations of where the agency and the department stood, and use that as part of the budget justification for going in and requesting additional dollars. We were really successful in using that kind of approach to be able to increase funding not only to take care of our high vulnerabilities and systems, but also to start getting funding to be able to address the moderate-level funding. Even though they would find weaknesses in the program, for me it was a real benefit because I could then take those independent assessments and reports which then filtered up to OMB (Office of Management and Budget), which then resulted in appearances before Vivek [Kundra] at the Federal CIO Council and such. Those things really helped out to put in a budget justification for requesting additional dollars.
JUNAIDEEN: The key thing here is there are some necessary evils when you basically run an enterprise, information security office or what have you. Some levels of compliance you've just got to grit your teeth and do it right. I think, and I agree with Mike, that often times you can actually tremendously benefit from the outcomes and the findings because people pay attention to it like people pay attention to score cards. If you're basically appearing as an organization that has reds and yellows all over, it can actually help the budget justifications, etc. But I think the key thing is to do those necessary evils as efficiently and effectively as possible. Can I get things done faster that are cheaper? Quite frankly, like you said money is tight, so our government really has to adopt some of those practices in doing things faster, doing things better, getting it done and then focusing on the risk.
The other thing is this. Tying to your mission is one of the most important things that a CISO can do as well, because ultimately if you basically get away from the paradigm that security can really enable your mission and make your customers and stakeholder groups happier, while reducing risk, I believe that's a much more powerful story that can resonate clearly now in the federal space.
Budget Cuts & IT Security
CHABROW: Obviously with budget cuts being called for by Congress, in reality whether that's actually cutting or just decreasing the growth rate, how much do you see IT security being part of those cut backs? And if so, what's the next step people should do, or the strategy that they should do, in working with their non-IT bosses in getting the money they need?
JUNAIDEEN: That's really the $10 million question that everybody is asking. There are some people on one polar end of the spectrum who basically say, "Cybersecurity is now a presidential agenda item. We're basically subject to millions of attacks a day and our sensitive information, systems, networks and our critical infrastructure can be compromised." So perhaps, it's one of those areas that will basically go fairly unscathed, right? That's one end of the spectrum, kind of the optimistic view. The other end of the spectrum is it's going to get cuts just like most other areas. I believe that it's probably going to be some place in the middle, getting slightly protected. At the end of the day, cyber is so pervasive that no part of the mission is absent or can ignore the whole concept of sound cybersecurity, and if CISOs and other people who are responsible for this can truly tie to the mission, mission effectiveness, mission protection and mission enablement, I believe that they've got a higher likelihood that their budget cuts will not be as significant as somebody else who might actually view security as being something that has to be done. It's kind of nothing but a necessary evil, so let's basically skimp on it, try to cut it down to the bone and make sure that we kind of move on to the next thing.
BROWN: It also vows a certain amount of education on the part of the CISO, educating the non-IT folks exactly what it is he's doing, but you have to put it in business terms and try to make them see what the threat is and what the results are of those threat scenarios, and what it does to the business. If you're talking to the CFO, you've got to be able to translate what it is you do into terms the CFO would understand, which is what we did at the FAA and as a result we got money added into our baseline, once they understood the implications and ramifications of what it is we were doing and how it affected the business.
CHABROW: Can you tell us what happened at the FAA?
BROWN: We got the CFO and his staff together and we gave them a threat briefing to the appropriate level that we could about what it is that we're looking at and seeing: how the number of events that we had been tracking per month had really grown exponentially; what systems we were seeing getting visited; where our phishing attacks were coming in against the senior leadership; if we had any ex-filtration of data, what those files were that got moved out.
Those kinds of things make a large impression because he had no idea any of that was going on and what the impact was to the business. What would be the impact if we lost our Internet connections through which flowed the Delphi-Prism financial systems going to the department and to OMB, or the ability to issue grants out the airports? Those kinds of things they went, "Wow, really, we didn't know that was going on." Taking that kind of an approach, we were able to increase our baseline of yearly funding to account for trying to take steps to remediate the impact of the business of those issues that we were having.
Non-IT Leaders & Security Concept
CHABROW: Do you think most non-IT leaders in the various agencies and departments at this point grasp the threats that could occur to their systems, or do you still think there are a lot of people out there who don't quite appreciate them?
JUNAIDEEN: I think it's a mixed bag. I think there are some people ... who have been bitten by some kind of an event. That's kind of the rude awakening, the people had been made believers when something bad happens and they basically get a lot of press and publicity and there's a lot of noise around some kind of an event. I think those kinds of people may or may not have been believers in the past and now they basically have become believers because something has happened. Some people who have the importance of cybersecurity in their DNA, they've got religion and they believe and are vocal advocates, and there are some people who basically need to be educated and Mike talked about the process that you've got to take people through to get them to a point where they say, "Alright, security protects our mission and it enables our mission. It's important. Let's do it even in the face of budget cuts and that sort of thing."
One of the things that I'll bring from the private sector that may be even relevant in the federal space going forward, is CISOs inside of the commercial sector might even be using, I hate to put it this way, marketing tactics in terms of making sure that they have packaged the value of security so that senior executives in government can see the value and keep the funding flow going.
Advice for CISOsCHABROW: If you had to give three pieces of advice, what would they be to the CISO to make sure he or she gets the money needed to secure their IT?
JUNAIDEEN: From my perspective, and I'll let our former CISO have the last word here, make sure that you basically leave nothing to chance. Prepare for it right now, adopt a risk management process and make your security processes a lot more effective than they are right now. Number two, make sure you truly understand your mission and the mission that you serve, and figure out how you connect cybersecurity to the mission so that you've got a much better chance of broader adoption and funding. And number three, always look to figure out how you can actually do more with less. You do have current security processes, either implementation or assessment processes that basically can be done with fewer resources. Don't wait until you're forced to reduce resources. Figure out ways you can actually do it better, cheaper, faster.
BROWN: Amry is spot on with each of the three points that he's made. The only other thing that I would add would be that the CISO now has to really be kind of a strategic thinker, and become less reactive to the situation and to deal with daily events. To quote a soccer phrase, "Be able to get his head up the ball and see the field," to be able to look out three years, four years, five years, to be able to see where new developments are coming in, what systems are going to be fielded, what new technologies might be on the horizon, they have to [be] prepared to be able to execute their role in protecting the federal systems as well as federal information. There has to be a certain realm of strategic design in planning that they have to embark in, in addition to dealing with the daily crises that they face every day.