[BreachExchange] How Agency CIOs Can Enable Business and Reduce Risk

Destry Winant destry at riskbasedsecurity.com
Thu Dec 19 09:44:29 EST 2019


Enabling the business of federal agencies while ensuring security
protection of agency and citizen information assets is uppermost on
the minds of government CIOs. While the adoption of more rigorous IT
enterprise architecture has helped many agencies gain a better overall
picture of their IT environments, what they must address is enhanced
visibility in order to “crosswalk” through their vast IT portfolios to
analyze their investments from multiple business perspectives. From
this vantage point, CIOs can better answer business questions about
the value to be received from them and be able to develop more
accurate pictures of mission gains and risks during project delivery.

Government budget and oversight leaders expect CIOs to have a plan for
tackling longstanding issues such as dealing with operating systems
that are no longer vendor supported or legacy hardware that can only
be maintained by finding high-priced replacements on eBay or
cannibalized components. It will also be assumed that agency CIOs will
ensure mission-critical applications will always be upgraded with
state-of-the-art programming code sets. On top of managing these
normal IT expectations, federal CIOs are faced with an increasing
number of reporting requirements from the Office of Management and
Budget (e.g. High Value Assets, Technology Business Management,
FITARA, CPIC, TBM) Further, these expectations will be met with little
new money to allocate to these demands or to keep trained and
competent technical staff on hand to deal with sustainment and new

In addition to the above expectations, CIOs struggle with reliable
answers to basic questions such as: what is the degree of
vulnerability their agency has to data breaches; what is a realistic
potential for cyber ransomware attacks; does their IT department have
the right functionality being prioritized and delivered; is the staff
trained with the right skills to do development and sustainment when
new technologies are implemented; and so forth. The answers to these
questions require analysis that cuts across people, processes and
technology. It should also provide a spectrum of likelihood of a
milestone occurring and an estimate of the negative business impact if
a risk is not mitigated.

When investment and sustaining decisions worth millions of dollars
require consensus among several stakeholders across an enterprise, it
is essential to ensure collaboration so that IT portfolio management
and risk management is successful.

As a CIO for several large public enterprises and in government, I
witnessed first-hand the dilemmas a CIO faces in dealing with such
challenges. It is hard it is to get the facts and data to reliably
know what tradeoffs to make when allocating resources to tackle

In the past, most agency CIOs including me, used the most basic of
tools like spreadsheets to track investments, assess trade-off, and
ensure risks were understood and dispositioned. I am convinced that
one practical answer is to consider a commercial-off-the-shelf
solution that takes a unified crosswalk approach to IT planning and
portfolio management in dealing with risks while being consistent with
the agency enterprise architecture.

By gaining visibility across the IT environment, CIOs can demonstrate
transparency between IT and business leadership, permitting multiple
objectives to be compared by cost and functionality with each other.
In turn, agency business leaders can more effectively manage risks
tied to their IT investment decisions, ensuring they are continually
optimized and aligned to support mission programs and citizen service.

While nothing is ever guaranteed, adept CIOs can enable their agency’s
path through the daunting thicket of mission delivery risks. By
adopting a strategic planning and IT portfolio management approach and
solution, they will be on the path to building a long-term partnership
with their agency business leadership.

More information about the BreachExchange mailing list