Budgeting for Cybersecurity

Sean McSpaden, Monique Appeaning 1/26/2018

Introduction

How much does your state need to invest—in terms of money, person-hours, and other resources—to provide adequate cybersecurity to state systems? How can legislators determine whether a budget request is justified and sufficient?

cybersecurity illustrationBudgeting for cybersecurity is a challenging process, in part because implementing security measures is not a finite task: it’s a series of interrelated, ongoing processes. Providing adequate cybersecurity resources should not be an afterthought; rather, it must inform every step of the process.

States need to incorporate security considerations and testing into the entire systems development, acquisition, deployment, maintenance, and support lifecycle similar to the federal government. For example, the Office of 18F within the federal General Services Administration (GSA) has been working with states on automating security testing as a part of the continuous deployment pipeline, ensuring that every new line of code or newly implemented system is automatically subjected to a battery of tests validating that it has not created a new vulnerability. The Office of 18F is part of the Technology Transformation Services, which is within the Federal Acquisition Service.

To successfully understand and budget for cybersecurity needs, state legislators and their legislative staff need to understand cyber terminology, better understand the cybersecurity risks that exist, and develop knowledge of what activities and resources can help them plan for, respond to, and recover from cybersecurity events when they do happen.

Legislators and legislative staff need to understand that cyber preparedness is an ongoing process that requires a maintenance of effort and flexibility in budgeting to address emerging vulnerabilities and threats. Specifically, legislators must consider how cybersecurity functions are organized and who, within each state, is responsible and accountable for cybersecurity. This knowledge will directly affect the type, scale, and complexity of governance, organizational, and funding models that must be established.

Several factors—competing fiscal interests, a lack of understanding of cyber vulnerabilities, and legislators’ incomplete knowledge of the current cyber “states” of their states—make this process difficult at best. We hope that the following guidance will help state legislators and legislative staff navigate the landscape of cybersecurity readiness and properly assess cybersecurity budget requests.

Sean McSpaden
Principal Legislative IT Analyst
Oregon

Monique Appeaning
Fiscal Analyst/Special Projects Coordinator
Louisiana

Additional Resources