Introducing the Government’s Great InfoSec Equities Issue

Posted December 9th, 2008 by

Government and information security–it really means two different things, and I’m going to break it down for you “Big Bird Stylie” as something I call the InfoSec Equities Issue.

If you’re like me, you have to be wondering the same things over and over again:

  • Why is is that DHS has perpetually scored low on their FISMA report card and yet they are supposed to be leading the way for cybersecurity for the nation as a whole? (FYI, they got a B+ for FY 2007)
  • How is it that the Government as a whole can have these gianormous data breaches ala the Veterans Administration and yet still claim to know how to help us secure our systems?
  • Does the FTC really expect me to keep a straight face when I read OnGuardOnline?

Well fear not, dear readers, for this is the secret to understanding these conundrums:  they’re actually different issues with a different funding trail.  This budget difference, although a topic we security people shun whenever we can, is insanely critical.

For securing their own internal systems, the Government faces exactly the same problems that most companies have only amplified because of scale–security is a cost center, and cost centers get reduced wherever possible.  Fudiciary responsibility to the taxpayers requires that the agency CISO’s staff do more with less, and that’s not a happy thought if you end up on the wrong side of the security budget equation.

Minimal Security photo by °Florian.

When it comes to security of external systems (and some national-level internal programs), the Government runs these as a program and offered as a service to the nation.  Some typical programs include the following:

It’s one of Washington’s best-kept secrets: being a program manager in the Government means that you get a mission and a bag of money, and your job is to decide where to spend it all.  This is the sweetest job and the one that you want whether it’s in security or any other discipline that you could image is a Government service–health care, law enforcement, or even the infamous “Gub’mint cheese”.

However, all is not peachy for programs.  They can get cancelled based on political will and trends, so if your program ends up non-favorably in the Washington Post, you might end with your bag of money pilfered for other programs.

Heightened Security photo by robmcm.

This concept of divergent funding is all nice and neat except, dear readers, when the issues are not separate–ie, when an internal IT system protected by the internal budget supports a particular program.  For example, consider the following scenarios:

  • Security of vulnerability data at US-CERT (external) that resides on a Government IT system (internal).
  • A financial system (internal) that tracks distributions to welfare recipients (external).
  • A government website (internal) that supports awareness and training on security issues affecting individual citizens such as identity theft (external).

Now this is the concept behind the way Government is supposed to be running security programs:  the internal funds pay for the centralized security and the funded programs pay for any level of security for IT systems that they sponsor.

But several catches:

  • The system owner has to understand how to budget for or ensure that security for their program is budgetted for.  Somewhere in there is an understanding of security risk.
  • The system owner (who in theory has better funding and therefore better security) is dependent upon the centrally-managed security (which in theory has less funding and therefore worse security).
  • Program-specific security comes out of the program, which means that higher security costs means that the program manager can’t spend money on the services they provide, which is where they really want to be spending it.
  • A ton of negotiation is required to figure out responsibilities between the program manager and the CIO/CISO.
  • If the agency takes too much money out of the program budget for security, we run into the same fudiciary responsibility problems in that we’re not managing our money properly.

Similar Posts:

Posted in FISMA, What Doesn't Work, What Works | 7 Comments »

7 Responses

  1.  CG Says:

    great post. The only thing i think you failed to mention is that in some organizations there is still a bit of old school thought that you can still pull the “functionality over security” argument. They do it, then wonder why the get an F on the scorecard. sheesh.

  2.  rybolov Says:

    Hi CG.

    I’m still confused. If the scorecard doesn’t equate to “real security” then how come we always cite it when we talk about who is doing right or wrong. Not that I don’t agree with you, just going off on a tangent.

  3.  CG Says:

    i dunno…why?

  4.  Liquidmatrix Security Digest » Homegrown Edition - December 10th Says:

    […] Introducing the Government’s Great Infosec Securities Issue The Guerilla CISO […]

  5.  Darren Couch Says:

    I’m a wee bit too lazy to pull the link of the post that mentions hardening vs uability here. My 2 cents is that the “score” is simply a way to simplify something extremely complex to someone who has absolutely no clue what you do or how you do it. So, F- could mean a lot of things, it seems. How is it weighted? what services are being provided? etc etc. If you’ve ever watched someones eyes glaze over when you start mentioning even sometning like packet routing it seems much simpler to tell them they got an “A”.

  6.  What’s Missing in the way the Government does Security? | The Guerilla CISO Says:

    […] personal belief is that the primary problem the Government has with security (on both sides of the InfoSec Equities Issue) is that there is a lack of skilled security practitioners upon which to draw from.  If you think […]

  7.  Inside the Obama Administration’s Cyber Security Agenda | The Guerilla CISO Says:

    […] point that this was needed.  Granted, I was specifically talking about the internal side of the InfoSec Equitites Issue, so the scope here is a little […]

Leave a Comment

Please note: Comment moderation is enabled and may delay your comment. There is no need to resubmit your comment.

Visitor Geolocationing Widget: