If you are a government information-security professional, one of the recurring conversations among you and your peers starts with: "I wish my governor/mayor/city manager/executive director understood more about cybersecurity." I know this because I've been a party to many of these discussions.
Unfortunately, most security professionals still haven't figured out how to regularly communicate the challenges and issues in a way that encourages elected leaders and other public executives to ask hard questions. While governors or city managers shouldn't have to be security experts, they should be informed enough to ask expert questions, and it's the chief information security officer's responsibility to help them.
As I considered this, I wondered, "What are the five questions I wish my executive would ask about cybersecurity?" I did an informal poll of some of my CISO colleagues, and very quickly my five things became 10 things, and then 50 things. I decided to bound it by what I think are the five most important issues:
1. What is our cyber-risk? Most executives understand risk in a general sense. With cybersecurity, however, non-technologists are intimidated by both the scope and complexity of the issues. While it's the job of the organization executive to ultimately determine the level of investment in cybersecurity, it's the job of the security professional to help the organization determine the level of risk tolerance it can live with and then create a culture in which everyone understands the boundaries.
What government executives really want to know is this: "Are we doing everything we can to manage our cyber-risk?" I think it's important to clarify here that while you can do a lot of work and spend a lot of money lowering the level of risk, you can never completely eliminate it. In a very dynamic environment, where both the threat and the technology change rapidly, having a sharp picture of the risks we can accept, and more importantly those we can't, is critical. In addition, by knowing the effectiveness of our risk-prevention capabilities, we should be able to either answer affirmatively that yes, we are doing everything we can to manage our cyber-risk, or no, we have gaps that need further work.
2. How much of our IT budget goes to security, and is it enough? Depending on where the CISO reports in an organization, this can get a bit touchy. The security team in most government organizations still reports to the chief information officer, which can create a conflict when the CIO owns the IT budget and security funding comes out of that same bucket. There has been a lot of benchmarking over the years, with percentages all over the map, so most people don't have a lot of confidence in the numbers, but generally, most organizations spend somewhere between 3 percent and 10 percent of their overall IT budgets on cybersecurity. I think it's more important for executives to understand that security is really about accepting that external risk factors are very dynamic in nature and require a bit of crystal-balling when it comes to forecasting the security budget.
3. Do we understand the who, what, where and why of our data? Data — and particularly the sensitive personal information that governments hold — is one of the most valuable resources and thus the most sought-after target for cyber-criminals. Understanding the who, what, where and why of data is the most important organizational concern with respect to security and privacy, and one of the most difficult to effectively manage. On the top of every executive list of data-related questions should be:
Who has access to our data, and is that access regularly reviewed to ensure that people have only as much access as necessary to perform their jobs?
What sensitive data are we retaining, and is it absolutely required that we retain it?
Where is the data stored? Are we meeting regulatory compliance requirements for encryption, and do we have a process in place to ensure availability in the event of a disaster?
Why do we need to retain so many different kinds of data?
4. Do we have a plan for when something bad happens? Here are two examples of why this could be the most important executive security question:
- One day in mid-March, public employees went to work in their offices around the country. A day later, due the sudden surge of the COVID-19 pandemic, government organizations everywhere were scrambling to get the IT and security technologies in place for a newly remote workforce.
- Open any newspaper or visit any online news source during the course of a week, and it's a good bet that another government jurisdiction or agency will have become the victim of a ransomware attack, typically with a 72-hour deadline to pay up.
Having a business continuity plan is the difference between continuing to provide a government service and government customers getting a busy signal. Trying to put a plan together in the middle of a crisis is not business continuity management — it's disaster recovery.
5. What can I do to help our security program? If the senior executives in an organization actively and visibly support the information-security program, it's pretty hard for the rest of its employees to not give it the same kind of attention. Culture, not technology, is the biggest differentiator in organizations with great security programs, and the best security programs I've seen are those where the security team and the executive team walk arm-in-arm in creating a culture of security.
I recognize that these questions raise a lot of issues that can't be easily answered, but that's the key: These questions can open the eyes of public leaders to the profound challenges security professionals face every day and hopefully provide a level of confidence that the security organization is thinking broadly enough about those challenges.
Governing's opinion columns reflect the views of their authors and not necessarily those of Governing's editors or management.