When written in Chinese, the word "crisis" is composed of two characters. One represents danger and the other represents opportunity. — President John F. Kennedy
I've often said that cybersecurity professionals are a lot like first responders. That is, they train, practice and endlessly condition themselves for the big red alarm to ring so they can save the world from cybermiscreants. Some people are comfortable in that role and others aren't, which is often the determining factor in whether someone is a successful cybersecurity leader.
COVID-19 is the big red alarm ringing, and I've been advising those professionals that now is their time to save the world — to take advantage of opportunity afforded by the crisis and demonstrate strategic leadership by establishing a deliberate vision for how security in our organizations will be executed both now and in a post-coronavirus world. Dan Lohrmann, a former chief information security officer for the state of Michigan, says it best: "The pandemic has brought cybersecurity front and center for state and local governments, but under different names and categories. Whether the hot topic is working from home, or unemployment benefits enrollments, or streamlining business processes using digital signatures, cyberleaders must seize this opportunity."
Working from home certainly belongs in that list of hot topics, since COVID-19 has resulted in government organizations transitioning a majority of their office-based employees to some form of remote work. This initially looked like a temporary measure, but it's becoming increasingly clear that many of those remote workers may never be returning to their government cubicles. Security leaders need to shift their response from viewing remote work vulnerabilities as a temporary problem and begin identifying more permanent solutions.
Remote work isn't a new business practice; many organizations inside and outside of government have been allowing it for years. What's different and concerning is the urgency and rapidity in which we made the transition. The security concerns include a vast and growing landscape of Internet communication options such as teleconferencing; far more use of cloud services and applications; and the use of data — often sensitive taxpaying-citizen data — without having developed adequate security policy or technology controls. Government employees working from home are playing games and trolling Facebook and Instagram on the same computers they are using to access sensitive data. How is your agency's security awareness training?
That's the kind of question government's chief information security officers can expect to hear more and more frequently from the elected executives and policymakers who are their bosses. CISOs have struggled for years to be taken seriously as business leaders and deserving of membership on the executive leadership team. The pandemic is their moment to prove they belong, but responsibility is the price they must pay for a seat at the table. "Security is not a problem you solve, it's a long-term business risk you manage," says security expert and entrepreneur Matt Devost. "It is important that your security program doesn't focus just on short-term goals, but that you also play the long game. As the CISO, you need to have a compass, not a map."
One of the best compasses out there is the business concept of "People, Process and Technology." Originally devised as an organizational development methodology to manage digital change, its three components have become foundational pillars of all great information security programs. CISOs need to develop very specific and clearly thought-out people-process-technology strategies that account for a future where the challenges are significantly different than they were at the beginning of 2020.
One of the first recognized process casualties of COVID-19, for example, was the lack of business continuity planning in most organizations. Does your jurisdiction or agency have a business continuity/crisis management plan today? And beyond the issue of continuity, are your security policies crystal clear on what is acceptable and unacceptable use of government-issued technology and services?
Now is a time to be creative — creative in the use of our talented people, creative in negotiating new (and old) contracts with vendors, and creative in getting every ounce of value out of the technology we already own. We need to think hard about how we can further integrate cybersecurity technology into our core services and processes in a way that shows real value in mitigating risk.
I often think we make cybersecurity more complicated than necessary. I read a long time ago that General Dwight Eisenhower's strategic plan in the final years of World War II was straightforward: (1) enter the continent of Europe; (2) defeat the German army; and (3) bring the war to an end. I'm sure that's far too simplistic, but when it comes to setting overarching goals to guide a responsive and comprehensive strategy, there's often value in simplicity.
Governing's opinion columns reflect the views of their authors and not necessarily those of Governing's editors or management.