Risk Management the Key
The OMB report identifies the two largest and most substantial risk factors as, first, the legacy systems prevalent across so many agencies, and second, the shortages of experienced and capable personnel to maintain them. A GAO report published in July 2019, echoes that conclusion. It states that the vast majority of government agencies surveyed listed “hiring and retaining key cyber security management personnel” as their biggest challenge to improving their cyber security.
The various government reports issued by the Senate, OMB and the GAO all align on what needs to be done to improve the cyber security of our nation’s federal agencies. They all agree that the first step is to put into place risk management systems that will allow agencies to identify which areas need to be addressed and in what priority. One reason this is so important is because any solutions will likely outlast an agency’s present leadership. As the GAO’s Marino points out, the average tenure of an agency chief information officer (CIO) is just two years. Technology solutions already proposed or in progress, such as the DHS’s National Cyber Security Protection System (NCPS), better known as Einstein, and Continuous Diagnostics and Migration (CDM) program, may have lead times measuring a decade or more.
Identifying their most significant risk factors will allow each agency to make the case for the right budget to address these issues, regardless of leadership turnover, the operations and management (O&M) needs that have for at least a decade taken up 80 percent of every agency’s IT budget and other challenges. When you don’t know what you don’t know, that goal becomes far more difficult. “In cyber security management, it’s always a matter of accepting risk because of a lack of resources,” concludes Marino. “The best one can do is identify what creates the most risk.”