The Right Way to Budget and Plan for Cybersecurity: Larry Letow


Federal agencies are just like companies in their constant struggle to be safe from cyber attacks. Larry Letow offers a step-by-step guide for agencies and contractors to shore up their cyber firewalls.

Bloomberg Government subscribers get the stories like this first. Act now and gain unlimited access to everything you need to know. Learn more.

Many federal agencies know that they need to create a dynamic cybersecurity plan, but that’s easier said than done.

At least seven of the eight leading agencies continue to operate unsupported legacy systems that are vulnerable to an attack, according to a recent report. Every agency is vulnerable.

How can you effectively budget for and create versatile cybersecurity resilience plans?

How can you work with your approved government contractors to budget, plan, and execute your roadmap?

The Challenge of Planning

You must assume that no area is 100% safe from an attack. That means when you start your budget, you can’t place all of your dollars in one area. Nor can you assume that a plan that has secured another company can provide you with the same level of security.

One-size-fits-all plans and that style of thinking get poor results and leave you vulnerable in multiple ways.

Whether you develop your plan in-house or use a third party, you need to create a plan that precisely fits your environment, your team’s abilities, employees’ cyber acumen, and your industry.

Essential Components

An effective cyber resiliency plan should have three stages:

  • the gap stage, which assesses the current state of an agency and identifies its future acceptable state;
  • the implementation stage, which executes your new cybersecurity measures; and
  • the maintenance stage, which covers monitoring, monthly reviews, and employee education.

Ideally, you would work through these stages order. But realistically, depending on how mature your agency is, you will re-evaluate on a continuous basis, at each stage, and adapt as different threats surface.

The first stage involves creating a picture of where you currently are and determining the goals for the future. What infrastructure do you have now? Is it enough for your needs? Is it scalable and flexible?

This stage also involves assessments to confirm your current situation. Working with a professional will help you gauge your acceptable risk level for the future.

Without an idea of where you are headed, it’s impossible to create a cohesive plan to get there.

The time-frame and budget will be considered during this step. Your eventual goal might be out of line with your current budget, but you can’t afford to go without protection in the meantime.

The second stage focuses on how to get from where you are now to where you are headed. Based on the planning that you performed during the first stage, this step will involve implementation.

The best plans focus on the most pressing issues first. For example, it makes the most sense to reduce high-risk items before worrying about low-risk ones. The proper plan will make it easy to lower risk over time.

The third stage is one of maintenance and monitoring. Employee education and ongoing monthly reviews are critical to ensure that there are no weak links in your cybersecurity infrastructure and you don’t revert to a weak position.

If you can maintain the initial areas at an acceptable level, you can adjust your budget to other required areas of your cybersecurity plan.

There is no universal answer for what your plan should look like, and working with a professional will give you the guidance you need.

No Single Solution

It’s important to recognize that there is no universal cybersecurity plan that can meet all agencies’ needs.

Depending on your agency or department—your size, your budget, and a variety of other factors—the amount that is appropriate for you to spend might look totally different from a competitor or someone operating in another industry.

It’s also critical to know that your level of acceptable risk might vary from point to point.

This allows you to focus your investment on high-risk areas instead of worrying about everything as if they are equal across the board.

The old saying is true: Doing something is always better than doing nothing.

Subscribers can find related content at Bloomberg Government.

Author Information

Larry Letow is the CEO of CyberCX’s US Region, a global cyber security company comprising highly skilled consultants, capabilities and offices in United States, United Kingdom, Australia, and New Zealand. He’s been involved in the technology/cyber security industry for over 30 years serving commercial organizations and federal agencies.

Write for us: Email IndustryVoices@bloombergindustry.com

Stay informed with more news like this – from the largest team of reporters on Capitol Hill – subscribe to Bloomberg Government today. Learn more.