“Sorry, no budget for that.”
Have you found yourself making similar statements to staff, government colleagues or suppliers in recent years?
And the last few months? Maybe you really wanted to pursue a new product or project, but after hearing more, you felt there was just no way to do it financially.
While state and local budget revenue is currently in very good shape (and some say it’s the best ever), I’ve been surprised how many times I’ve heard of ” budget issues” from state and local government technology and security officials across the country already in place. 2022. Although most states, such as Minnesota and Missourihave record budget surpluses, those dollars are somehow not getting into the security and technology budgets of a lot of governments across the country.
To be clear, the majority of state and local governments are seeing more technology spending right now. Indeed, the state and local market seems to be booming right now; this GovTech The article describes how the market for technology companies serving state and local governments reached record highs in mergers and acquisitions in 2021. In addition, this article describes how technology has been at the heart of many discourses on the State of the State by Governors in 2022.
Nonetheless, many CISOs report that one-time money, lack of staff, or other factors limit their ability to complete projects. Others worry that “the big quit” is causing a brain drain in government, or that cyber grants are too hard to come by or too little too late.
But whatever the reasons, in good times and bad, budgeting for technology and security in government organizations requires discipline, expertise, a repeatable process that works, and lots of help to succeed in the long term.
HOW GOVERNMENT BUDGETING IS DIFFERENT FROM PRIVATE SECTOR BUDGETING
While hoping for federal grants or simply waiting for someone else higher up the chain of government management to provide the necessary money can sometimes seem like the only way forward, there are more proactive strategies that I have seen it work over the years and that can definitely help.
I’d like to offer some budget lessons that I’ve learned from my conversations with state and local government cybersecurity professionals and groups like NASCIO, NASPO, and MS-ISAC, as well as my years as a CSO, CTO, and CISO of Michigan. But before you do, here are a few background things that make getting C-suite buy-in for budgets different from how things work in the private sector.
First, in government, those closest to the top executive are almost always political friends/allies of the governor, mayor or other senior public sector leader. The majority of these most trustworthy people were “on the bus” when they ran for office. That means many senior executives have literally campaigned with them in primaries and long days of political rallies, donated financially to their campaigns, and more. These are the people who are part of the “inner circle” and who are most listened to by the heads of government. They have unique access and long-term relationships that are very difficult to obtain if you weren’t “on the bus”. There is nothing equivalent in the private sector.
Second, although building trust takes time and skill in the public and private sectors, project timelines are often different. In government, there are fixed cycles that tend to follow electoral calendars, which often last four years, but can range from two to six years. Investments and priorities with the board – often the cabinet, committee or council – also follow unique budget cycles that include securing legislative and perhaps other support. Timing of requests is critical. Learn the jargon and measurements of these groups. How do they measure success?
Third, government rules, procedures, processes, approvals, monitoring and audits are often very complex and individual. It can take years to fully understand all the fiefdoms and side deals that are happening in government silos. In the private sector, financial or personnel support for senior leaders is usually implemented quickly. But, on the other hand, I have seen heads of government make clear decisions only to see “government bureaucracy” kill projects through a long list of internal maneuvers and delaying tactics.
7 LESSONS TO HELP FUND TECHNOLOGY AND GOVERNMENT SECURITY
1. Know where you stand, not just on the organization chart, but in the pecking order of “circles of trust” within government. If you’re not in the inner circle – and you probably aren’t if you weren’t on the bus – ask who is. Also, strive to be at least in the middle circle of career professionals who are trusted to “get things done” with a track record of professional success. Build trusting relationships with people in the inner circle (or at least the middle circle), whenever possible.
If possible, have lunch with heads of government. Discover the priorities and campaign promises of key government leaders. Get invited to strategy sessions and priority setting meetings that impact technology and security. Present your case in a variety of ways, from lightning pitches to formal cybersecurity presentations.
2. Gain a good understanding of how things are done in government. Read case studies of successful projects. Learn the budget deadlines for official (and unofficial) proposals. Always have a list of current needs when “fallout money” becomes available. By the way, I was often told “no money for this project” for months or even years, only to have a budget official come to me at the end of the fiscal year and say, “I I need the details of the expenses for said project now.” Lesson: Be prepared at all times with your list of priority expenses.
3. Get to know agency business leaders who might be more supportive of your cause, even if/when key elected leaders are not. Find a business champion in your organization who supports cyber change in a powerful way and support this snowplow. Surprisingly, it might not be an IT manager. For example, I’ve seen security champions in the transportation and treasury departments. Senior treasury executives were in charge of credit cards and needed payment card industry compliance. They pushed for dramatic improvements to our network controls by demonstrating the penalties for non-compliance.
4. Conduct online roadshows at least once a year in business areas across government. Build a regular cadence for updates on what’s happening, and don’t assume it’s a one-time deal. Review the good, bad, and ugly items and action items for safety. Talk about what works and where to improve with metrics.
5. Form a cyber committee (or better, use an existing technology sub-committee) to get buy-in from middle management leadership in the business areas. Ask security ambassadors to help you advocate through respected front-line non-IT leaders.
6. Communicate, communicate, communicate. I often hear CISOs and other heads of government say there is no money and their projects never get funded. My answer is to “get on the boats leaving the dock”. In other words, which projects receive funding? Are you, or your key aides, in those important meetings? For example, a new tax database is a top priority, but you are not invited to participate. Why? Ensure that security is integrated into all strategic projects. Build trust by involving yourself in the top priorities – or, if you can’t beat them, join them.
7. Partner strategically with others. This means building bridges through grants, other government groups like MS-ISAC, Police, FBI, DHS, etc. Many of these groups usually have the reputation and level of trust associated with them, even when new leaders do not. If you study what has worked and what hasn’t worked in the past, you can greatly benefit from these relationships. This may also include relationships with the private sector.
A word of warning: when a new top leader is elected, the inner circle will inevitably change. Staying effective during this transition, especially if political parties change, is a huge challenge.
Nonetheless, cybersecurity is one of the few high-priority topics that tends to be non-partisan. Stay focused on protecting data and critical infrastructure, and you can survive even the toughest administration changes.
Note that there are many elections at the end of 2022 that could change the direction of state and local governments.
I have written other blogs on this budgeting topic in the past; a helpful blog here covers budgeting in tough times.
Also, even if your budget is in good shape right now, don’t think you’re immune to future challenges. Some people believe inflation and the war in Ukraine could push the US into a recession if AND when interest rates rise later in 2022 or 2023. Following these tips can help you prepare for declines inevitable national and local tax revenues – and your security budget.
Finally, just like in your own household budget, you are never “done”. This budgeting process is an ongoing cycle that continues into the next cycle of the fiscal year.