Why CFOs and CIOs need to partner on cybersecurity

Shutterstock images (honglouwawa & 0beron): Bitcoin image overlay replaced with a dollar sign on a hardware circuit.

Washington happy hours are known for cheap drinks and networking, and federal agency CIOs and chief financial officers might consider lifting a glass together to deepen their working relationships, current and former officials said.

As the government confronts the growing need to invest in cybersecurity and IT modernization, CIOs and CFOs must find ways to understand each other’s needs and budget accordingly, said panelists at the Association of Government Accountants CFO/CIO summit.

“In the old days when your CIO and CFO had no relationship and didn't talk to one another, it was bad management,” said Lee Lofthus, assistant attorney general for administration at the Department of Justice. “Now, if you don't talk to one another, it's a real cyber risk for the whole agency.”

Other panelists pointed to DOJ as a federal leader in institutionalizing the relationship between the CFO and CIO.  The CIO sits on the working capital board at Justice, while the deputy CFO sits on the department’s investment review board.

Lofthus added that there is no longer a bright line between a cybersecurity budget and an IT budget at DOJ. “It's an increasingly composite budget we get that has cyber baked into it,” he said.

He pointed to the example of data center consolidation, which was originally viewed as a cost-cutting measure.  The department soon realized, however, that there was a cybersecurity benefit to reducing the attack surface and vulnerability of legacy systems.

Chris Condon, principal director to the Department of Defense's deputy CIO for resources and analysis, said that at DOD, the comptroller has given authority for the cyber and IT budget to the CIO’s office, so she is effectively acting as a CFO in the CIO shop. 

“[It’s] not the same in the services,” she said. “We struggle every year as how do we get the two to talk.”

“It's really that the organization has to think about a process of risk management over all and then look at all the different components of risk -- cyber being one of those, financial being another...and having that ingrained in the culture of the organization,” said former Deputy Federal CIO Lisa Schlosser.

Schlosser told FCW that the Trump administration’s stated plan to make agency heads accountable for cybersecurity can help drive deeper connectivity between CIOs and CFOs.

“I think it's a responsibility of the agency head to lay out how critical cybersecurity is and the fact that it should be integrated into all mission and planning activities,” she said.

Schlosser said government should be copying the private sector in this regard.  “There really is not a CEO these days who does not understand that he or she has to pay attention to cybersecurity and think about that in terms of risk to the organization,” she said.


About the Author

Sean Carberry is an FCW staff writer covering defense, cybersecurity and intelligence. Prior to joining FCW, he was Kabul Correspondent for NPR, and also served as an international producer for NPR covering the war in Libya and the Arab Spring. He has reported from more than two-dozen countries including Iraq, Yemen, DRC, and South Sudan. In addition to numerous public radio programs, he has reported for Reuters, PBS NewsHour, The Diplomat, and The Atlantic.

Carberry earned a Master of Public Administration from the Harvard Kennedy School, and has a B.A. in Urban Studies from Lehigh University.

The Fed 100

Read the profiles of all this year's winners.


  • Shutterstock image (by wk1003mike): cloud system fracture.

    Does the IRS have a cloud strategy?

    Congress and watchdog agencies have dinged the IRS for lacking an enterprise cloud strategy seven years after it became the official policy of the U.S. government.

  • Shutterstock image: illuminated connections between devices.

    Who won what in EIS

    The General Services Administration posted detailed data on how the $50 billion Enterprise Infrastructure Solutions contract might be divvied up.

  • Wikimedia Image: U.S. Cyber Command logo.

    Trump elevates CyberCom to combatant command status

    The White House announced a long-planned move to elevate Cyber Command to the status of a full combatant command.

  • Photo credit: John Roman Images / Shutterstock.com

    Verizon plans FirstNet rival

    Verizon says it will carve a dedicated network out of its extensive national 4G LTE network for first responders, in competition with FirstNet.

  • AI concept art

    Can AI tools replace feds?

    The Heritage Foundation is recommending that hundreds of thousands of federal jobs be replaced by automation as part of a larger government reorganization strategy.

  • DOD Common Access Cards

    DOD pushes toward CAC replacement

    Defense officials hope the Common Access Card's days are numbered as they continue to test new identity management solutions.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group