The issue made the news recently when nine individuals were indicted for snooping into President Obama's student loan information.
Both corporations and government have responded to the challenge of safeguarding sensitive information by creating a new role: chief information security officers, or CISOs. The role of these officers is still emerging. Do they safeguard best by using law enforcement techniques and technological tools? Or are they more effective if they serve as educators and try to influence the behaviors of technology users?
A recent report by Marilu Goodyear, Holly T. Goerdel, Shannon Portillo and Linda Williams identifies the strategies used by successful state CISOs. Their findings provide a good roadmap to success for all public-sector CISOs.
Based on a review of the cybersecurity landscape at the state level, Goodyear, Goerdel, Portillo and Williams provide a broad picture of strategies used to build successful programs and the activities of today's CIOs and CISOs. It is clear that collaboration is a key element in the successful implementation of cybersecurity programs in the states. Based on their research, they provide five key recommendations:
1. State cybersecurity officials should increase the use of collaboration and networks. CISOs should manage cybersecurity, in part, by identifying, mobilizing, participating in and helping maintain public-sector knowledge networks relevant to cybersecurity issues. CISOs and CIOs should recognize that the base of these networks is the development and preservation of interpersonal relationships, not a command and control perspective. Information sharing across boundaries has become the norm for CISOs despite the requirement that sharing information requires spanning a number of state bureaucratic boundaries. CISOs have created, participated in and led robust public-sector knowledge networks.
2. State cybersecurity officials should evaluate their formal and information relationship with federal cybersecurity officials. In an effort to build on existing networks, CISOs and CIOs should identify authority or status barriers between themselves and federal cybersecurity officials. Managerial efforts should then be directed towards removing, or mitigating, barriers most likely to impair bottom-up participatory governance by states regarding national cybersecurity programs. CISO collaborations are undertaking important work across all sectors and all levels of government.
3. State cybersecurity officials should devote increased attention to and receive training in multidisciplinary problem solving. Cybersecurity management requires a practical philosophy of multidisciplinary problem solving. The development of networks across security disciplines (cybersecurity, emergency management, critical infrastructure, information fusion centers, etc.) is critical for the continued success of cybersecurity efforts. Broadening CISO networks should be a priority for CISOs and CIOs.
4. State cybersecurity officials should receive training in collaboration competencies and those competences should be recognized and rewarded. Education programs for the CISO community should be focused on collaboration skill sets, beyond those technical in nature. Collaboration competences among CISOs should be incentivized recognized and rewarded by CIOs. While technical education remains important, the CISO role has grown far beyond technical management of cybersecurity tools. At the core of effective CISO skills and competences is a philosophy that cybersecurity problem solving is more than an exercise in technical proficiency. State CISOs themselves identify non-technical skills as particularly important, including collaboration/conflict management, communication skills and political skills.
5. State cybersecurity officials should devote increased attention to data management. CIOs and CISOs should build collaborations with data owners, records managers and archivists in the development of more robust data management within the states.
The report notes that "A focus on the management of data within government organizations is not new; most states have record definition statutes and retention schedules. However, the investment of resources in these programs has varied by state and agency." These days, a misplaced laptop can put hundreds of thousands of records at risk. The growing focus on cybersecurity provides an opportunity for states to refocus on these efforts to protect sensitive data.
