Strategic Support Key to Success of Government Cybersecurity Programs

Author: Dan Lohrmann, Chief Strategist and Chief Security Officer, Security Mentor

During the years’ I’ve spent working in government I have witnessed interesting political shenanigans but I’ve never heard politicians put positive spin on a data breach or cyber crime. No one says out loud that we should stop worrying about computer network defenses or poor cyber hygiene.

Nevertheless, if we look back over security programs at the federal, state and local levels, we can see that funding actions don’t always match public statements. Even basic verbal support for information security, privacy, and awareness training is woefully limited. Other priorities get more attention and more resources.

Public sector leaders rarely speak about cybersecurity unless a breach occurs, and even then the conversation is more about damage control than the lessons learned. Fostering security requires vigilance, education, remediation, and planning. Apathy is worse than opposition because the beneficial public dialogue never happens.

Assess and Improve the Quality of Executive Support

Over the years, I have observed several patterns in the lack of backing of government cybersecurity programs. The situation is, no doubt improving but we need to learn from past mistakes to improve. After all, our online challengers never relent in their push to adapt to whatever defenses we construct.

Government decision-makers often align their support for cybersecurity projects with the technology adoption curve. This curve includes: innovators, early adopters, early majority, late majority and laggards. (Note: The percentage breakdowns listed in the linked chart aren’t necessarily the same for cybersecurity as for other areas.)

While no one wants a data breach on their watch, government managers are slow to champion the implementation of better security controls or to allocate more resources to security programs. Fortunately, awareness of security threats is growing amongst government personnel because of frequent high-profile data breaches, new personal data laws, and compliance mandates for health care data, credit cards, tax information, and more.

Yet, I never cease to be amazed by the barricades and walls that exist in some government organisations around implementing vital protective measures. Other priorities prevail, often because political leadership was elected on promises to support education, roads, health care and other initiatives more visible to the public.

Seven Strategies to Build Support

How can security and technology professionals overcome these difficulties? Following are seven methods that have been proven to work around the country, in both public and private sectors. Whether you have a centralised, decentralised or hybrid governance model, consider trying one or more of these approaches to garner additional resources and influence.

1) Establish a security committee that includes business leaders. Include influential representatives from business-side clients, technology infrastructure personnel, application development leaders, and key decision-makers. Solicit support from legal, HR, internal audit and other areas to build a broad foundation for security awareness and adoption. Meet regularly, discuss threats and concerns, and take concrete steps to mitigate risks.

2) Build personal relationships and trust with key decision-makers. In government, reputations are based on who delivers and who doesn’t. You are likely to work with the same group of professionals for years, so put yourself out there. Conscientiously grow and strengthen your network.

3) Find a business champion. Have an innovative executive from the business side engage with slow adopters. Sometimes, the security or technology executive is not the best person to seek management’s support. Ask a business executive who “gets it” to speak with their peers about the importance of specific and immediate cybersecurity needs. If your security committee (see 1) is effective, this cross-enterprise support will grow over time. Encourage the leaders, innovators and early adopters to work on winning over the laggards.

4) Deliver a “security roadshow” briefing to legislature, elected officials, agency heads, budget officials and department directors at least annually. Use metrics and case studies to illustrate the specific topics that affect your clients. Allow for plenty of open dialogue and Q&A. Make this security briefing part of your customer service approach and always address specific actions that will reduce risk for that customer. When necessary, ask for additional resources in clear and simple terms.

5) If you can’t beat them – join them. “Get on the boats that are leaving the dock.” Leverage hot-button issues that are being funded. Participate in projects that are already getting funded; ensure that security is built in from the outset. For important initiatives, get a seat at the table as a committee member or key resource. Go beyond your basic duties to support the success of related teams.

6) Identify and point to other governments’ best-practice cybersecurity projects. It’s tough to persuade the budget office even if you have their respect. Pointing to successful government initiatives can win over skeptical execs who want real-world proof that a specific project is worth funding.

7) Partner with others outside your organisation. Look at opportunities available in the private sector, other governments, the Multi-State Information Sharing and Analysis Center (MS-ISAC), National Governors Association (NGA), US Department of Homeland Security (DHS), and NASCIO. As you build your security strategies, don’t forget to collaborate with groups that have a wider view and deeper pockets.

Be Prepared and Persistent

Remember that government budgets often go through pendulum swings throughout the fiscal year. In some cases “end of the year fallout money” becomes available as the fiscal year closes. Be prepared to jump on such opportunities. Always have your prioritised wish list ready in case management asks, “What do you need?”

Timing is essential. Don’t give up after an initial rejection. It’s all about the right idea at the right place at the right time at the right price—with the right person delivering the message to the right decision maker.

I’d love to hear your strategies for gaining executive support for cybersecurity.

Read more: Execs value security visibility as hard, soft metrics increasingly gauge compliance

About Daniel J. Lohrmann

Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist and author. During his distinguished career, Lohrmann has served global organizations in the public and private sectors in a variety of executive leadership capacities, including enterprise-wide Chief Security Officer (CSO), Chief Technology Officer (CTO) and Chief Information Security Officer (CISO) roles in Michigan.

Lohrmann joined Security Mentor, Inc. in August, 2014, and he currently serves as the Chief Security Officer (CSO) and Chief Strategist for this award-winning training company. He is leading the development and implementation of Security Mentor’s industry-leading cyber training, consulting and workshops for end users, managers and executives in the public and private sectors.

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Join the CSO newsletter!

Error: Please check your email address.

Tags cybersecurityinformation securitylegalhealth careHRgovernmentcyber hygieneprivacyinternal audit

More about CSOEnex TestLabInc.MentorQTechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Dan Lohrmann

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place