Why CFOs And CIOs Need To Partner On Cybersecurity

Sean Carberry

Washington happy hours are known for cheap drinks and networking, and federal agency CIOs and chief financial officers might consider lifting a glass together to deepen their working relationships, according to current and former officials.

As the government confronts the growing need to invest in cybersecurity and IT modernization, CIOs and CFOs must find ways to understand each other’s needs and budget accordingly, said panelists at the Association of Government Accountants CFO/CIO summit.

“In the old days when your CIO and CFO had no relationship and didn’t talk to one another, it was bad management,” said Lee Lofthus, assistant attorney general for administration at the Department of Justice. “Now, if you don’t talk to one another, it’s a real cyber risk for the whole agency.”

Other panelists pointed to DOJ as a federal leader in institutionalizing the relationship between the CFO and CIO.  The CIO sits on the working capital board at Justice, while the deputy CFO sits on the department’s investment review board.

Lofthus added that there is no longer a bright line between a cybersecurity budget and an IT budget at DOJ. “It’s an increasingly composite budget we get that has cyber baked into it,” he said.

He pointed to the example of data center consolidation, which was originally viewed as a cost-cutting measure.  The department soon realized, however, that there was a cybersecurity benefit to reducing the attack surface and vulnerability of legacy systems.

Chris Condon, principal director to the Department of Defense’s deputy CIO for resources and analysis, said that at DOD, the comptroller has given authority for the cyber and IT budget to the CIO’s office, so she is effectively acting as a CFO in the CIO shop.

“[It’s] not the same in the services,” she said. “We struggle every year as how do we get the two to talk.”

“It’s really that the organization has to think about a process of risk management over all and then look at all the different components of risk — cyber being one of those, financial being another…and having that ingrained in the culture of the organization,” said former Deputy Federal CIO Lisa Schlosser.

Schlosser told FCW that the Trump Administration’s stated plan to make agency heads accountable for cybersecurity can help drive deeper connectivity between CIOs and CFOs.

“I think it’s a responsibility of the agency head to lay out how critical cybersecurity is and the fact that it should be integrated into all mission and planning activities,” she said.

Schlosser said government should be copying the private sector in this regard. “There really is not a CEO these days who does not understand that he or she has to pay attention to cybersecurity and think about that in terms of risk to the organization,” she said.

For more on cybersecurity strategies, see New Cybersecurity Reporting Framework Boosts CPA Engagement.

This article originally appeared in FCW magazine, and is republished by permission.

Sean Carberry

About Sean Carberry

Sean Carberry is an FCW staff writer covering defense, cybersecurity and intelligence. Prior to joining FCW, he was Kabul Correspondent for NPR, and also served as an international producer for NPR covering the war in Libya and the Arab Spring. He has reported from more than two-dozen countries including Iraq, Yemen, DRC, and South Sudan. In addition to numerous public radio programs, he has reported for Reuters, PBS NewsHour, The Diplomat, and The Atlantic. Carberry earned a Master of Public Administration from the Harvard Kennedy School, and has a B.A. in Urban Studies from Lehigh University.