Very nice article at Federal Times about Office of Management and Budget mandates actually interferring with agencies’ ability to provide effective security. Of course, I think it’s well-written because it says some of the same ideas that I’ve been saying for awhile now. =)
So the question is, does OMB “get it” when it comes to information security? Well, yes and no, and as a rebuttal, should they?
Let’s look at what OMB does. In fact, go check out their web site, it has a plethora of knowledge. It has the following mission statement:
“OMB’s predominant mission is to assist the President in overseeing the preparation of the federal budget and to supervise its administration in Executive Branch agencies. In helping to formulate the President’s spending plans, OMB evaluates the effectiveness of agency programs, policies, and procedures, assesses competing funding demands among agencies, and sets funding priorities. OMB ensures that agency reports, rules, testimony, and proposed legislation are consistent with the President’s Budget and with Administration policies.
“In addition, OMB oversees and coordinates the Administration’s procurement, financial management, information, and regulatory policies. In each of these areas, OMB’s role is to help improve administrative management, to develop better performance measures and coordinating mechanisms, and to reduce any unnecessary burdens on the public.
OK, so they are responsible for management, budget, performance, policy, and acquisition. Hmm, sounds like the business side of the Government. Yes, they should be in charge of security, but from the perspective of a good CFO: that is, they know that it’s important because it’s loss reduction, but they don’t necessarily have the expertise on-hand to go into much more depth than that.
Now OMB is in a squeeze, you need to understand their pressures. On one hand, their job is to assure compliance with all the laws, directives, policies, etc. On the other hand, their job is to reduce the cost of the Federal budget. In my world, these ideas are opposed to each other.
Add some political pressure and some serious security incidents into the mix, and you can easily see why OMB has been managing security by mandates and performance metrics (FISMA reporting). The mandates are policy statements and the metrics are intended to determine how efficiently agencies are executing their compliance. Thing is, this makes sense in a compliance-budget squeeze.
Now notice I didn’t bring up risk management anywhere in this post until now? Well, this is where risk management comes in. At the current burn-rate for IT security spending in the Government, the way to realize efficiencies and cost savings while still meeting the compliance drivers is to use risk management. I’ll say this again: without risk management, everything becomes equally important and you have neither effective security nor cost-conscious security.
My big question for you is this: who is performing true risk management for the Government as a whole?
- It’s not OMB, they just operate as the Government’s CFO
- It’s definitely not GAO, they’re just a dual-person control to keep the executive branch honest
- It’s not NIST, they just write standards and guidelines
The answer is this: agency CISOs. The problem with them being the highest level of risk management is the following:
- No sharing of risk with high-level stakeholders (OMB, White House)
- No sharing of risk with risk partners (Congress)
- No risk management at the national-level (strategic view)
- CISOs are given all the responsibility but none of the authority to fix things that really matter
- We all point fingers at each other when something breaks
So, how do we fix this? That’s a hard one. We can train OMB to do risk management. We can extend Lines of Business so that one agency (*cough* DHS *cough*) adopts national-level risk management. We can create a new organization that’s responsible for government-wide risk management, but then again that doesn’t make sense.