Meagher: Information security has few friends at the top
Security requires having an agency’s senior executive team say it will happen, Interior's deputy CIO says.
Agencies could benefit from more effective executive leadership, better funding and greater accountability for cybersecurity as they try to implement information security initiatives, said Ed Meagher, deputy chief information officer at the Interior Department.Security, like any major initiative, requires having an agency’s senior executive team say it will happen, Meagher said. The department secretary is presented with difficult choices every day. Most agencies are juggling increased requirements and decreased funding, he said. Consequently, security only gets dribbles of money, Meagher said.Business officials in federal agencies don’t take information security seriously enough, he said. They don’t appreciate what would happen if network systems and applications were taken down.“I hear the same thing: ‘It’s too expensive, and you’re getting in the way of the mission,’ ” Meagher said. Information technology executives need to make a greater effort to educate the business community about cybersecurity, he added. Business owners “control the dollars and the business process and get to say no, and they do it religiously.”Agencies have enough funding to pay for information security, but often it is spent inefficiently because of the procedures congressional committees use to distribute funding, Meagher said. They distribute money by bureau, sub-bureau and, in Interior’s case, by individual national park. “As a result, we have to go around to each and ask them to give some money back to us so we can do security at a department level,” Meagher said. “It’s a tough sell. Congress should fund security on the department level,” he said.Information security is an area that would benefit from a command-and-control environment, Meagher said. Collaboration, studying the problem and having a foundation are important, he added. “But at some point,” Meagher said, “you must be able to say, ‘We’re going to do it this way and not that way.’ ”
NEXT STORY: Telework: Good policy, better practice