Have you found yourself making similar statements to staff, government colleagues or vendors in the past few years?
How about the past few months? Perhaps you really wanted to pursue some new product or project, but after hearing more felt that there was just no way to get it done financially.
While state and local budget revenues are currently in great shape (and some say the best ever), I have been surprised at how many times I have heard about “budgeting woes” from state and local government technology and security leaders around the country already in 2022. Even as most states, such as Minnesota and Missouri, have record budget surpluses, those dollars are somehow not flowing in security and technology budgets in a large number of governments around the country.
To be clear, the majority of state and local governments are seeing more technology spending currently. Indeed, the state and local government market seems to be surging at the moment; this GovTech article describes how the market for tech companies serving state and local government hit record M&A highs in 2021. Also, this article describes how technology has been central to many State of the State addresses by governors in 2022.
Nevertheless, many CISOs report one-time money, a lack of staff or other factors as limiting their ability to get projects done. Others worry about “The Great Resignation” causing a brain drain in government, or cyber grants being too hard to get or too little too late.
But regardless of the reasons, in good times and in bad, budgeting for technology and security in government organizations requires discipline, expertise, a repeatable process that works and lots of help in order to achieve long-term success.
HOW BUDGETING IN GOVERNMENT IS DIFFERENT FROM THE PRIVATE SECTOR
While hoping for federal grants or just waiting for someone else higher up in the government management chain to deliver the needed money may seem like the only way forward at times, there are some more proactive strategies that I have seen work over the years that can certainly help.
I’d like to offer some budget lessons that I learned from my conversations with state and local government cybersecurity pros and groups like NASCIO, NASPO and MS-ISAC as well as my years serving as Michigan CSO, CTO and CISO. But before I do, here are some background items that make getting C-suite buy-in for budgets different from how things work in the private sector.
First, in government, the people closest to the top executive are almost always political friends/allies of the governor or mayor or other top public-sector leader. The majority of these most-trusted people were “on the bus” when they ran for office. This means that many top executives literally campaigned with them through primaries and long days of political rallies, gave financially to their campaigns, and more. These are the people who are in the “inner circle” and who are listened to the most by government leaders. They have unique access and long-term relationships that are very hard to gain if you were not “on the bus.” There is nothing equivalent in the private sector.
Second, while building trust takes time and skill in both the public- and-private sectors, the timelines for projects are often different. In government, there are set cycles that tend to follow election calendars, which often run for four years, but can range from two up to six. Investments and priorities with the board — often the cabinet or committee or council — also follow unique budget cycles that include getting legislative and perhaps other support. The timing of requests is paramount. Learn the lingo and metrics of these groups. How do they measure success?
Third, government rules, procedures, processes, approvals, oversight and audits are often very complex and individual. It can take years to fully understand all the fiefdoms and side deals that occur in government silos. In the private sector, financial or staff support from the top leaders is generally acted upon swiftly. But, in contrast, I have seen government leaders make clear decisions only to see the “government bureaucracy” kill projects through a long list of internal maneuvers and delaying tactics.
7 LESSONS TO HELP WITH FUNDING GOVERNMENT TECHNOLOGY AND SECURITY
1. Know where you stand, not just on the org chart but in the pecking order of “trust circles” in government. If you are not in the inner circle — and you probably are not if you weren't on the bus — ask who is. Also, strive to at least be in the middle circle of career professionals who are trusted to “get things done” with a track record of career success. Build trusted relationships with those on the inner circle (or at least in the middle circle), where possible.
If feasible, do lunch with the government leaders. Learn the top governments leaders’ priorities and campaign promises. Get invited to the strategy sessions and priority-setting meetings that impact technology and security. Make your case in a variety of ways, from elevator pitches to formal cybersecurity presentations.
2. Gain a good understanding of how things get done in government. Read case studies of successful projects. Learn budget timelines for official (and unofficial) proposals. Always have a list of current needs when “fallout money” becomes available. As an aside, I was often told “no money for that project” for months or even years, only to have a budget person come up to me at the end of the fiscal year saying, "I need the spending details for said project now." Lesson: Be ready with your spending priority list at all times.
3. Get to know the business leaders in the agencies who may be more sympathetic to your cause, even if/when the top elected leaders are not. Find a business champion in your organization who is backing cyber change in powerful ways and get behind that snowplow. Surprisingly, this may not be an IT manager. For example, I’ve seen security champions in the transportation and treasury departments. The senior execs in treasury were in charge of credit cards and needed payment card industry compliance. They pushed for extensive improvements in our network controls by demonstrating the penalties of noncompliance.
4. Conduct cyber roadshows at least annually to business areas throughout government. Build a regular cadence for updates on what’s happening, and don’t assume this is a one-time deal. Go over the good, bad and ugly and action items in security. Talk about what is working and where improvements are needed to be done with metrics.
5. Form a cyber committee (or better, utilize an existing technology subcommittee) to get executive buy-in from middle management in business areas. Get security ambassadors to help make the case through frontline non-IT leaders who are respected.
6. Communicate, communicate, communicate. I often hear CISOs and other government leaders say there is no money and that their projects never get funded. My response is to “get on the boats leaving the dock.” That is, what projects are getting funding? Are you, or your top deputies, in those important meetings? For example, a new tax database is a top priority, but you are not invited to participate. Why? Make sure security is built into all strategic projects. Build trust through getting involved in top priorities — or, if you can’t beat them, join them.
7. Strategically partner with others. This means building bridges through grants, other government groups like MS-ISAC, police, FBI, DHS, etc. Many of these groups usually have the reputations and a level of trust associated with them, even when new leaders don’t. If you study what has worked and not worked in the past, you can benefit greatly from these relationships. This can also include relationships with the private sector.
One word of caution: When a new top leader is elected, the inner circle will inevitably shift. Staying effective during this transition, especially if political parties change, is a huge challenge.
Nevertheless, cybersecurity is one of the few high-priority topics that tends to be nonpartisan. Stay focused on protecting data and critical infrastructure, and you can survive, even during very difficult administration changes.
Note that there are many elections in late 2022 that may change leadership in state and local governments.
FINAL THOUGHTS
I have written other blogs on this budgeting topic in the past; one helpful blog here covers budgeting in hard times.
Also, even if your budget is in good shape right now, don't think you are immune from future challenges. Some people think inflation and the war in Ukraine could push the U.S. into a recession if AND when interest rates rise later in 2022 or in 2023. Following these tips can help you prepare for inevitable downturns in state and local tax revenue — and your security budget.
Finally, just as in your own home budget, you are never “done.” This budgeting process is an ongoing cycle that continues into the next fiscal year cycle.
