'You need to talk in terms of operational impact'

When Richard Spires was CIO at the Department of Homeland Security, he had no trouble getting cybersecurity onto the secretary's agenda. Getting funding, on the other hand, was another matter entirely. 

"You would think [cyber] would be like No. 1 or No. 2 in the budget priorities," Spires said at the HP Protect cybersecurity conference on Sept. 10. "Well, not even close."

Part of the issue, Spires and other former agency IT leaders at the conference said, was that legacy systems consume a large share of budgets, and that there is constant pressure to shift remaining money into new systems and new functionality. Because cybersecurity spending is generally invisible when it succeeds, Spires said, "it's always going to be a struggle, because you're always buying insurance."

The key challenge for CIOs and other IT leaders, therefore, is to put the costs, risks and benefits of cyber into a context that non-technical executives can understand. "If you don't do that, you can be very easily sidelined," said retired Vice Adm. Patricia Tracey, who is now HP's vice president for homeland security and defense services. Particularly in the military services, where mission leaders have their own budgets, "they can buy around you."

Retired Rear Adm. Robert Day, who was CIO of the Coast Guard before stepping down this summer, agreed. "You need to talk in terms of operational impact," he said. "Because the moment the bits and bytes start coming out, the eyes close and you're done."

Day explained how he helped a commandant who was "very much operationally focused, and did not know a damn thing about cyber," understand what was at stake. First, he took the commandant and his senior team into the Coast Guard's cyber operations center, "where they could really see what's going on." And with their top-level clearance, Day said, the officers "could see the worst of the worst."

Then, Day said, he was able to "take those conversations back and translate that into, 'what would the operational impact be?'" With the commandant now on board, a "red team" was assembled to mount a cyber-attack against a brand-new National Security Cutter -- a vessel the Coast Guard describes as the centerpiece of the fleet.

That exercise demonstrated, Day said, "with not a very high-level team going against that cutter, I could prevent it from leaving the dock."

"And then that started resonating with that team."

For Spires, who is now CEO of Resilient Network Systems (and who writes a regular column for FCW), that need to frame IT in terms of agency mission meant putting a priority on forensics to make sense of the cyber intrusions that he said are inevitable for any large-scale agency or organization. "There is nothing that will get a secretary's attention like talking about what was exfiltratated," he said.

Sometimes, however, even that is not enough. David Wennergren, the Professional Services Council's senior vice president for technology policy, recalled his experience as the Navy's CIO and elsewhere in the Defense Department.

Wennergren would go into a budget meeting, he said, and declare: "Terabytes of data are being exfiltrated, and we need more money for firewalls!"

"And then the next presenter gets up and says, "Look at this plane, 'whoosh.' Look at this missile, 'whoosh. ' And then, like, where does the money go?"

It's impossible to overstate "the importance of articulating the reason why" cybersecurity and other IT spending is needed, said Elizabeth McGrath, who before joining Deloitte as director of federal strategy and operations was the Defense Department's deputy chief management officer. "They have to see themselves in the conversation, or you won't have their buy-in."