Why CFOs and CIOs need to partner on cybersecurity
With the government spending billions annually on cybersecurity, it is essential that CIOs and CFOs work together to bake cyber into agency IT budgets, current and former officials say.
Washington happy hours are known for cheap drinks and networking, and federal agency CIOs and chief financial officers might consider lifting a glass together to deepen their working relationships, current and former officials said.
As the government confronts the growing need to invest in cybersecurity and IT modernization, CIOs and CFOs must find ways to understand each other’s needs and budget accordingly, said panelists at the Association of Government Accountants CFO/CIO summit.
“In the old days when your CIO and CFO had no relationship and didn't talk to one another, it was bad management,” said Lee Lofthus, assistant attorney general for administration at the Department of Justice. “Now, if you don't talk to one another, it's a real cyber risk for the whole agency.”
Other panelists pointed to DOJ as a federal leader in institutionalizing the relationship between the CFO and CIO. The CIO sits on the working capital board at Justice, while the deputy CFO sits on the department’s investment review board.
Lofthus added that there is no longer a bright line between a cybersecurity budget and an IT budget at DOJ. “It's an increasingly composite budget we get that has cyber baked into it,” he said.
He pointed to the example of data center consolidation, which was originally viewed as a cost-cutting measure. The department soon realized, however, that there was a cybersecurity benefit to reducing the attack surface and vulnerability of legacy systems.
Chris Condon, principal director to the Department of Defense's deputy CIO for resources and analysis, said that at DOD, the comptroller has given authority for the cyber and IT budget to the CIO’s office, so she is effectively acting as a CFO in the CIO shop.
“[It’s] not the same in the services,” she said. “We struggle every year as how do we get the two to talk.”
“It's really that the organization has to think about a process of risk management over all and then look at all the different components of risk -- cyber being one of those, financial being another...and having that ingrained in the culture of the organization,” said former Deputy Federal CIO Lisa Schlosser.
Schlosser told FCW that the Trump administration’s stated plan to make agency heads accountable for cybersecurity can help drive deeper connectivity between CIOs and CFOs.
“I think it's a responsibility of the agency head to lay out how critical cybersecurity is and the fact that it should be integrated into all mission and planning activities,” she said.
Schlosser said government should be copying the private sector in this regard. “There really is not a CEO these days who does not understand that he or she has to pay attention to cybersecurity and think about that in terms of risk to the organization,” she said.