Government budgets are not infinite, but with some work, they can be made a bit more elastic.
Stretching a budget however means finding efficiencies that will allow agencies to cut costs, and that, means understanding what your organization needs to protect and prioritizing, according to attendees at the (ISC)2 Security Congress in Philadelphia.
"You can't protect everything anymore," said Matthew McCormack, who formerly served as chief information security officer for the Defense Intelligence Agency (DIA) and director of cyber-security operations for the Internal Revenue Service (IRS).
At the IRS, he said, his job was to keep the bad guys out; at the DIA, he was also tasked with catching insiders who misused data they were authorized to access. The shift in focus meant making decisions about what data was most critical and how he would go about protecting it, he said.
"Believe it or not, thin clients are cool again," he said, adding that the devices are generally cheaper and make it easier to protect the perimeter.
Automation of routine tasks is also key, noted Peter Gouldmann, U.S. State Department liaison to the National Institute of Standards and Technology (NIST). Gouldmann and McCormack were part of panel Tuesday that discussed ways government agencies can make the most of their budgets, including repurposing hardware and applying data collected through monitoring in multiple ways.
"How many of these things can I check off by doing the same operational monitoring that I'm doing today…if you can leverage your workforce gain a lot of intelligence out of your current monitoring capability and apply them to the business control requirements, you have saved yourself [money]," Gouldmann said.
Once employees are freed up, they too can be repurposed in ways that save money, Hord Tipton, executive director of ISC2, said Wednesday.
"Anytime you can repurpose people…they go into some other area, some other cost center," he said.
Another key area that provides cost savings is cloud computing, which Tipton said government agencies are cautiously embracing due to concerns about the safety of critical data.
"The cloud can start small; they'll need to start probably with an internal private cloud just to see how it works," he said.
Brent Conran, who was also on the panel Tuesday, described how moving to the cloud could reduce power consumption and cut costs. Prior to assuming his role as CSO at McAfee, Conran served as both the CIO and CISO of the U.S. House of Representatives, where he oversaw an effort to build a private cloud and consolidate servers.
Some of the advice however was non-technical, such as learning to play nice with the chief financial officer and human resources. The two hardest things to come by, McCormack said, are people and money – and HR and the CFO can help with both.
"I always try to spend a lot of time with the CFO, because if you are friends with the CFO or your budget analyst, when they have money, guess who they are going to call? They're going to call you because they know you can execute and spend that money in a week," he said.