By Craig P. Orgeron, CIO & Executive Director, State of Mississippi
In the 2014 Deloitte-NASCIO Cybersecurity Study, one of the more telling findings notes that a budget-strategy disconnect is apparent in states, preventing the adequate funding of cyber budgets. That finding readily articulates the challenge faced by public sector CIOs in articulating the seriousness of the cyber threat as it exists today. It is clear that communicating the immense risks posed by cyber threats can be as demanding as dealing with the actual security problem. Hence, it is essential that elected officials come to fully understand the potential economic impact of a cybersecurity breach.
Cybersecurity breach data and analysis can, in fact, paint my differing pictures. Yet, it is generally agreed that costs for a security breach are escalating, and according to the 2014 Global Cost of Data Breach Study the cost, on average, to remediate a data breach can reach nearly $6 million for an organization, with an average cost of $195 for each compromised record. These, and other data points, are arcing ever-higher and more expansive. And, consider a report from the Identity Theft Resource Center, which details that, in addition to the rising costs for remediation, breaches are occurring at a higher rate, with estimates of year-over-year increases of 25 percent, with nearly a third of the list being public sector entities. With the attention being paid to cybersecurity, obtaining adequate funding would presumably not be difficult, and, as noted in the Deloitte-NASCIO Cybersecurity Study, while budgets are on the rise the gap in adequate funding is operationally concerning.
The budget-strategy disconnect in this instance, and others, represents a common dilemma in public sector budgeting, that is, proficiently communicating the need with the appropriate degree of urgency to influence funding, without using hyperbolic language and tactics – the constant barrage of house-on-fire language making it difficult to tease out the seriousness of the funding need. And many times funding, and interest, comes after very damaging breaches occur. Two state-level breaches sounded an alarm for an increased focus on cybersecurity. The first occurred in South Carolina, at the Department of Revenue, exposing 70 million tax records at a cost of $ 41 million. The second, a breach in Utah, where 750,000 Medicaid records were compromised, costing the state $9 million. Both breaches, high-profile in nature, garnered much attention, and much discussion regarding not only adequate funding but also appropriate governance of cyber operations across states. Yet, as is the case many times in public sector, the initial furor cuts a direct path to complacency, and budget battles are consumed by other pressing needs. In fact, while conventional wisdom still posits the “it-is-just-a-matter-of-time” cyber breach philosophy, soliciting funds for cyber activities proves challenging.
The budget-strategy disconnect may resolve over time, as cyber needs are more readily included in government programs at all levels, and not singled out for specific funding priority. Yet, it may also be that in funding public budgets certain needs simply cannot be ignored, public health and K-12 education, for example. These needs are real and ever-present. At the same time, technology systems may run for years without major incident, providing the appearance of efficient functionally, only to be interrupted by a breach and the onslaught of finger-pointing. Public sector breaches can be particularly damaging, given the often catastrophic loss of trust in the government, where a great deal of responsibility lay in maintaining and securing mission critical technology data and infrastructure.
Yet, the challenge only seems to be deepening. Increasingly, cyber threats are evolving rapidly, making accurate estimates of fiscal risk difficult to ascertain. And technologically, the quick adoption of mobile computing devices and an expanding reliance on the hyper-scalability of cloud computing only complicate the cyber threat landscape. One of the more prescient observations in the recently published Guide to Cybersecurity as Risk Management: The Role of Elected Officials by CGI and the Governing Institute, suggests the integration of cybersecurity into project-oriented risk management procedures, as a way to increase the effectiveness of operational planning, and, importantly, enhance funding requests for consideration during the appropriation process. As a stand-alone program, cybersecurity threat funding looms as a behemoth, capable of evaporating large budgets with lackluster metrics.
In the Guide to Cybersecurity as Risk Management the argument is well articulated, noting that when used in conjunction with a process-driven risk management strategy, the cybersecurity effort is an over-arching framework propelled by the needs in a cost-justified business case. Within the context of the business case, considerations are made for cyber risks associated with the funding for a specific program. Thus, as noted in the Guide to Cybersecurity as Risk Management funding requests for cybersecurity become more tightly integrated in public sector, programmatic budgeting processes. This model for funding represents an effective model for communicating to elected officials cybersecurity needs. The risk-oriented approach also tends to serve as a way to prioritize funding requests, also assistive in the appropriations process, enabling a collective dialogue pointing towards right-sized funding priorities and strategies. With the continued growth of cyber programs, prioritization and continuous threat monitoring are integral to success.
Still, the Deloitte-NASCIO Cybersecurity Study documents with survey data from across the states that while cyber budgets have seen increases, the lack of adequate funding is cited by Chief Security Officers as a significant obstacle to the overall health of a cybersecurity program. In addition, states often have found success in seeking alternative sources for cyber funding, with much support coming to states from the U.S. Department of Homeland Security. And, with costs to remediate breaches often estimated at rising upwards of 15 percent each year, other funding sources may well be needed to keep cyber programs healthy and effective.
However, as is the case in public sector budgeting, the needs often outweigh available funds, requiring targeted strategy and communication approaches to secure funding, especially for cybersecurity. Yet, even with excellent strategy and planning, thorough communication, and integration into risk management methodologies, funding for cybersecurity will continue to be a challenge. With large amounts of federal funding flowing to states for a myriad of programs, it may be that more organized and systemic cost allocation requirements for spending federal funds on enterprise-wide cybersecurity improvements may be a way to empower CIOs with needed flexibility to lead on expansive cybersecurity efforts, while lessening funding constraints.