IT Budgets, Cybersecurity Top Federal CIO Concerns

WASHINGTONAsk federal CIOs what keeps them up at night, and you’ll hear an earful. From cybersecurity and governance policy to modernization initiatives and adjusting to tightening budget constraints, CIOs in the federal government have their hands full, according to a new study from the advocacy organization TechAmerica and the consulting firm Grant Thornton.

Presenting the findings of the survey here on Thursday, George DelPrete, a partner at Grant Thornton and chair of TechAmerica’s CIO Survey Group, began his talk with a gesture toward an image of a magician projected onto a large screen at the front of a conference room.

“We were trying to think of a good theme, and for us a good metaphor for the CIO was a magiciansomeone who has to pull the rabbit out of the hat,” DelPrete said. “Today the number of things that CIOs need to do hasn’t declined, yet they’re being forced to find ways to innovate with less resources than they previously had.”

Cybersecurity Tops the List

In the surveyof 40 federal CIOs and other officials and staffers across executive agencies and congressional oversight committees, the respondents identified cybersecurity as their chief concern.

That encompasses both attacks from outside entities and internal risks, such as lost or stolen laptops, sharing passwords and other lax security practices or employees who shift roles but retain access to sensitive information from their former position. Some respondents pointed to an imbalance that sees the majority of some agencies’ cybersecurity resources directed toward external threats, while most serious data breaches are attributed to internal factors.

“Internal threats aren’t always reported but they are a big concern for the CIO community,” DelPrete said.

At the same time, the volume and intensity of attacks from outside groups is escalating.

“The nature of external threats is changing,” DelPrete said, noting the emergence of sophisticated attackers supported by nation-states and so-called hacktivist groups such as Anonymous that target organizations to make a social or political statement. “A number of the folks that we spoke with felt that the existing security framework that they saw was really not consistently applied,” he added.

The CIOs surveyed generally agreed that their efforts to protect their IT infrastructure are hobbled by the absence of a centralized security authority within the government and the wide inconsistencies in the quality and implementation of agencies’ defenses. They also suggested, perhaps hopefully, that increased funding for cybersecurity initiatives could improve their defensive posture.

IT Budget Cuts Threaten Infrastructure

But IT budgets, like many other line items, are facing significant cuts amid strong political pressure to rein in government spending. As a result, plans to improve core infrastructure are sometimes shelved, while the ambitious, government-wide initiatives to move to the cloud and consolidate data centers, both directives of the White House, risk falling behind schedule.

“Often the last thing that thing that [CIOs] have money left to do is upgrade the networks and infrastructure. Lots of them had plans to do that but they just can’t get the resources,” DelPrete said.

“A lot of them want to do data-center consolidation, a lot of them want move to the cloud and find cheaper ways to do things. It takes money to do that. They don’t often have the money to do the planning, to do the analysis to look at how they would get to where they need to go,” he added.

It is not surprising then that the CIOs surveyed said that their top management priority is to control costs, followed by rationalizing and centralizing IT services and introducing new technologies to modernize their computing operations.

The respondents appealed for fewer data calls, government-wide directives and unfunded mandates from Congress or the central agency as a path to help cut costs. They also suggested that agencies could do a better job of sharing technology and crafting more efficient and less burdensome developer policies.

But many of the CIOs polled complained that they lack sufficient authority to control their agencies’ IT spending and oversee important operations such as cybersecurity.

“If CIOs are to play central roles in cost control and IT reform, then Congress needs to define better what CIOs can do to force their organizations to take action,” the authors of the report wrote. “Many CIOs of departments and large agencies say they feel accountable for results but limited in the ability to achieve them.”

Among the other concerns that CIOs expressed, issues associated with mobile devices and the labor force loomed large. The CIOs tended not to favor a bring-your-own-device strategy, arguing instead for common hardware but a governance framework that provides for rapid development of mobile technology to keep pace with surging demand and rapidly evolving user preferences.

Concerns are mounting about replacing the retiring Baby Boomers, who occupy most of the senior management and executive positions in the government. Slightly more than half (52 percent) of the CIOs surveyed said they do not have a formal succession plan in place for replacing retiring leaders.

The budgetary pressures that agencies are facing can also have a dramatic impact on the health of their workforce, the CIOs reported. Many agencies are facing pay freezes, which the respondents said contributes to low morale and causes more workers to leave. Even agencies that are not operating under pay freezes still often face salary caps that the CIOs complain are well below market value. In either case, agencies across government are struggling to attract and retain top talent that could command higher salaries and enjoy brighter prospects for advancement in the private sector.

“Staff are leaving and it often can be hard to compete with industry,” DelPrete said.

Kenneth Corbin is a Washington, D.C.-based writer who covers government and regulatory issues for CIO.com. Follow everything from CIO.com on Twitter @CIOonline, on Facebook, and on Google +.