What is a Program?
There are several different dictionary definitions of a program, but they all seem to relate to having a plan, taking actions, and achieving a goal (Merriam-Webster, n.d.; Dictionary.Com, n.d.; Collins, n.d.). A program is often referred to as a collection of related projects, unlike a portfolio which can contain unrelated projects (Joubert, 2020). A program may also contain related activities which are not projects (Null et al., 2020). A program can be a one-time reorganization event, it can relate to ongoing business cycles, or be a mega project operating across multiple organizations (Miterev et al., 2016). Programs focus on delivering strategic level value (Weaver, 2010; Joubert, 2020).
What is an information security program then? It combines all the projects and activities related to the protection of information and systems into one program that is managed with an organization wide set of goals and objectives. The program must be integrated into strategic goals of the organization and support them. Alright, so the program thing makes sense. But why combine everything together? What is wrong with individual departments, teams and functions managing their own information security practices? Do we really need another layer of bureaucracy and process if everyone is handling things just fine on their own?
Looking at the Department of Education (DoE)
Information security is difficult to achieve without coordination across an organization. In 2021 the Department of Education received many negative information security findings (Portman & Peters, 2021). In the report these security issues were attributed to “a lack of internal communication and information sharing between stakeholders”, lack of enforcement, lack of consistency, and an inability to identify all department technology resources including nine public facing websites. They also mentioned the use of ad-hoc procedures in managing their technology resources. The auditor made a special note that disclosure controls for sensitive information were lacking in four consecutive Federal audits (Portman & Peters, 2021). If the Department of Education is constantly getting audits and feedback about these issues, why don’t they just fix them?
Likely a major reason is that the DoE is large and complicated. The Department has over 18 Offices and initiative groups (Operating Structure, n.d.). They employ over 4,400 employees and possess a budget of over $68 billion (Overview and Mission, n.d.). They operate out of their main office building in Washington D.C. with 1,100 employees working in 10 regional offices across the country (An Overview, n.d.). They work on everything from researching early childhood through postsecondary education, civil rights issues, advisement on Congressional legislation, public outreach, special education, rehabilitative services, Federal student loans, grant programs, various White House initiatives, and more.
The Department has several information security teams:
- Cyber Operations Branch
- Governance, Risk and Policy Branch
- Information Systems Security Branch
- Security Engineering and Architecture Branch
These teams manage the Department’s regulatory compliance, incident planning and response, enterprise security architecture, vulnerability management, assessment, and the Department’s security policies, standards, and procedures. They work under the Office of the Chief Information Officer (OCIO). With such a large organization, budget, and dedicated teams how could the Department of Education have so many troubling issues with their information security?
The DoE and Their FISMA Audits
One way to get an idea of how difficult the challenge of coordinating across such a large organization is, is to review the U.S. Department of Education’s Federal Information Security Modernization Act of 2014 (FISMA) audit reports. In the DoE CIO’s audit response for 2016, there are frequent references to the need for coordination with system owners, development of status reports for security controls, and providing security training to users. Frequently the management response to identified problems is that the OCIO would fix it. But most of these issues related to how all the various Offices and initiatives were utilizing systems and services and their expectations related to connecting those services to the Department network. The audit for that year rated the security efforts of the Department of Education as “not effective” (DoE FISMA, 2016).
In 2023, however, the FISMA audit rated the Department of Education as “effective” and a “Level 4” maturity rating. How did they go from failing to passing in seven years? This time the DoE CIO’s audit response did not contain statements that the OCIO would fix all problems. Instead, there are numerous references to an ED Cybersecurity Policy Working Group, Supply Chain Risk Management Team, a Project Management Office, an ED Enterprise Identity, Credential, and Access Management Program, an ED Privacy Program, an ED Security Training Program, an Information Security Continuous Monitoring (ISCM) Team, and others (DoE FISMA, 2023). These are all elements of an overall security program designed to improve the protection of student data.
From Ownership to Coordination
What these teams, programs, and groups represent are cross functional structures both inside the OCIO itself and beyond. Security ownership and responsibilities are given to all the offices with the OCIO serving in a coordinating role. There is little talk of forcing system owners and Offices to comply with security changes to meet CIO responsibilities to the organization. Instead, the CIO discusses how the OCIO provides risk information to stakeholders and helps facilitate all the various cross Department activities related to information security operations (DoE FISMA, 2023). The OCIO has moved from the role of security owner to the role of security coordinator. System and information owners ultimately own security.
Moving away from ownership to coordination is why program thinking is important for information security. In a program, all activities and projects don’t necessarily need to be owned by the same office or function. In the “not effective” Department of Education, all activity was essentially owned and managed by the OCIO. This arrangement is not ideal because the OCIO is less able to understand or make risk decisions related to how all the different aspects of the Department work. The OCIO is also out scaled by the organization itself. They are likely not capable of independently maintaining awareness of all activities to the high level of detail required by information security.
Is a Program like an HOA?
But if nobody is in charge, how does anything get done? Aren’t we right back at every department managing their own information security? Well, sort of. Under a security program each department has direct responsibility for information security. They can start their own security projects and initiatives. They can create procedures and documentation. Participating in a security program is like being in a homeowner’s association (HOA).
In an HOA everyone buys their own house. They can do whatever they like if they follow the community guidelines. All roofs in the neighborhood might have to be red, for example. Homeowners can buy whatever roof they like and have whatever design they like. But the tiles themselves must be red. These guidelines are published to the community (security policies) and can be changed or challenged by the HOA Board (Security and Privacy Committee). The manager of the HOA (CIO) has various employees (cyber security professionals, system/network administrators, project managers) who help manage the overall property. But the rules that everyone needs to follow are set by the HOA board, and technically the manager and employees work to support the decisions of that board. All the other homeowners must also abide by the decisions of the board. Homeowners are also able to become board members themselves.
Homeowners may want to share amenities, so they don’t have to pay the full cost themselves or manage them. They may have pools or recreation areas (firewalls, VPNs, Endpoint Detection and Response Tools, etc.) which are managed also by HOA employees. Yes, the HOA employees do the work to maintain the pools and tennis courts, but the HOA may set rules around when the recreation areas are available or other considerations. The HOA employees facilitate the requirements of the HOA board.
Finally, a summary!
Information and systems are not used and owned by only one team or department. They do not support only one organizational goal or objective. Likewise, the risks that they present are also not owned by one team or department. As the Department of Education discovered on their journey to achieving improved security, program thinking is necessary. Much like an HOA, a program serves as a guide for the organization to ensure that all projects and initiatives meet organizational requirements while still providing flexibility to individual teams and departments.
With the current complexity of organizations, the rapidly expanding use of technology, and the growing risks technology presents, a security program is not only a useful tool, but is becoming essential. Information security is larger than one leader, one team or one department and it must be managed that way.
References
Joubert, S. (2020, January 27). Project, Program, and Portfolio Management: What’s the Difference? https://graduate.northeastern.edu/resources/project-management-vs-portfolio-management-vs-program-management/
Miterev, M., Engwall, M., & Jerbrant, A. (2016). Exploring program management competences for various program types. International Journal of Project Management, 34(3), 545–557. https://doi.org/10.1016/j.ijproman.2015.07.006
Null, G., Cross, J. A., & Brandon, C. (2020). Effects of Lean Six Sigma in program management. Journal of Manufacturing Technology Management, 31(3), 572–598. https://doi.org/10.1108/JMTM-04-2019-0139
Overview and Mission Statement | U.S. Department of Education. (n.d.). Retrieved October 24, 2023, from https://www2.ed.gov/about/landing.jhtml
Portman, R., & Peters, G. (2021). Federal Cybersecurity: America’s Data Still at Risk. United States Senate. https://www.hsgac.senate.gov/wp-content/uploads/imo/media/doc/Federal%20Cybersecurity%20-%20America's%20Data%20Still%20at%20Risk%20(FINAL).pdf
Program Definition & Meaning | Dictionary.com. (n.d.). Retrieved October 23, 2023, from https://www.dictionary.com/browse/program
Program Definition & Meaning—Merriam-Webster. (n.d.). Retrieved October 23, 2023, from https://www.merriam-webster.com/dictionary/program
Program definition in American English | Collins English Dictionary. (n.d.). Retrieved October 23, 2023, from https://www.collinsdictionary.com/us/dictionary/english/program
The U.S. Department of Education’s Federal Information Security Modernization Act of 2014 Report for Fiscal Year 2023. (2023). Office of Inspector General. https://oig.ed.gov/sites/default/files/reports/2023-10/a11q0001.pdf
The U.S. Department of Education’s Federal Information Security Modernization Act of 2014 Report for Fiscal Year 2016. (2016). Office of Inspector General. https://oig.ed.gov/sites/default/files/reports/2023-10/a11q0001.pdf
Weaver, P. (2010, February 24). Understanding Programs and Projects | PMI. https://www.pmi.org/learning/library/understanding-difference-programs-versus-projects-6896