The Right Way to Budget and Plan for Cybersecurity: Larry Letow
Many federal agencies know that they need to create a dynamic cybersecurity plan, but that’s easier said than done.
At least seven of the eight leading agencies continue to operate unsupported legacy systems that are vulnerable to an attack, according to a recent report. Every agency is vulnerable.
How can you effectively budget for and create versatile cybersecurity resilience plans?
How can you work with your approved government contractors to budget, plan, and execute your roadmap?
The Challenge of Planning
You must assume that no area is 100% safe from an attack. That means when you start your budget, you can’t place all of your dollars in one area. Nor can you assume that a plan that has secured another company can provide you with the same level of security.
One-size-fits-all plans and that style of thinking get poor results and leave you vulnerable in multiple ways.
Whether you develop your plan in-house or use a third party, you need to create a plan that precisely fits your environment, your team’s abilities, employees’ cyber acumen, and your industry.
An effective cyber resiliency plan should have three stages:
- the gap stage, which assesses the current state of an agency and identifies its future acceptable state;
- the implementation stage, which executes your new cybersecurity measures; and
- the maintenance stage, which covers monitoring, monthly reviews, and employee education.
Ideally, you would work through these stages order. But realistically, depending on how mature your agency is, you will re-evaluate on a continuous basis, at each stage, and adapt as different threats surface.
The first stage involves creating a picture of where you currently are and determining the goals for the future. What infrastructure do you have now? Is it enough for your needs? Is it scalable and flexible?
This stage also involves assessments to confirm your current situation. Working with a professional will help you gauge your acceptable risk level for the future.
Without an idea of where you are headed, it’s impossible to create a cohesive plan to get there.
The time-frame and budget will be considered during this step. Your eventual goal might be out of line with your current budget, but you can’t afford to go without protection in the meantime.
The second stage focuses on how to get from where you are now to where you are headed. Based on the planning that you performed during the first stage, this step will involve implementation.
The best plans focus on the most pressing issues first. For example, it makes the most sense to reduce high-risk items before worrying about low-risk ones. The proper plan will make it easy to lower risk over time.
The third stage is one of maintenance and monitoring. Employee education and ongoing monthly reviews are critical to ensure that there are no weak links in your cybersecurity infrastructure and you don’t revert to a weak position.
If you can maintain the initial areas at an acceptable level, you can adjust your budget to other required areas of your cybersecurity plan.
There is no universal answer for what your plan should look like, and working with a professional will give you the guidance you need.
No Single Solution
It’s important to recognize that there is no universal cybersecurity plan that can meet all agencies’ needs.
Depending on your agency or department—your size, your budget, and a variety of other factors—the amount that is appropriate for you to spend might look totally different from a competitor or someone operating in another industry.
It’s also critical to know that your level of acceptable risk might vary from point to point.
This allows you to focus your investment on high-risk areas instead of worrying about everything as if they are equal across the board.
The old saying is true: Doing something is always better than doing nothing.
Subscribers can find related content at Bloomberg Government.
Larry Letow is the CEO of CyberCX’s US Region, a global cyber security company comprising highly skilled consultants, capabilities and offices in United States, United Kingdom, Australia, and New Zealand. He’s been involved in the technology/cyber security industry for over 30 years serving commercial organizations and federal agencies.
Write for us: Email IndustryVoices@bloombergindustry.com