During the years’ I’ve spent working in government I have witnessed interesting political shenanigans but I’ve never heard politicians put positive spin on a data breach or cyber crime. No one says out loud that we should stop worrying about computer network defenses or poor cyber hygiene.
Nevertheless, if we look back over security programs at the federal, state and local levels, we can see that funding actions don’t always match public statements. Even basic verbal support for information security, privacy, and awareness training is woefully limited. Other priorities get more attention and more resources.
Public sector leaders rarely speak about cybersecurity unless a breach occurs, and even then the conversation is more about damage control than the lessons learned. Fostering security requires vigilance, education, remediation, and planning. Apathy is worse than opposition because the beneficial public dialogue never happens.
Assess and Improve the Quality of Executive Support
Over the years, I have observed several patterns in the lack of backing of government cybersecurity programs. The situation is, no doubt improving but we need to learn from past mistakes to improve. After all, our online challengers never relent in their push to adapt to whatever defenses we construct.
Government decision-makers often align their support for cybersecurity projects with the technology adoption curve. This curve includes: innovators, early adopters, early majority, late majority and laggards. (Note: The percentage breakdowns listed in the linked chart aren’t necessarily the same for cybersecurity as for other areas.)
While no one wants a data breach on their watch, government managers are slow to champion the implementation of better security controls or to allocate more resources to security programs. Fortunately, awareness of security threats is growing amongst government personnel because of frequent high-profile data breaches, new personal data laws, and compliance mandates for health care data, credit cards, tax information, and more.
Yet, I never cease to be amazed by the barricades and walls that exist in some government organisations around implementing vital protective measures. Other priorities prevail, often because political leadership was elected on promises to support education, roads, health care and other initiatives more visible to the public.
Seven Strategies to Build Support
How can security and technology professionals overcome these difficulties? Following are seven methods that have been proven to work around the country, in both public and private sectors. Whether you have a centralised, decentralised or hybrid governance model, consider trying one or more of these approaches to garner additional resources and influence.
1) Establish a security committee that includes business leaders. Include influential representatives from business-side clients, technology infrastructure personnel, application development leaders, and key decision-makers. Solicit support from legal, HR, internal audit and other areas to build a broad foundation for security awareness and adoption. Meet regularly, discuss threats and concerns, and take concrete steps to mitigate risks.
2) Build personal relationships and trust with key decision-makers. In government, reputations are based on who delivers and who doesn’t. You are likely to work with the same group of professionals for years, so put yourself out there. Conscientiously grow and strengthen your network.
3) Find a business champion. Have an innovative executive from the business side engage with slow adopters. Sometimes, the security or technology executive is not the best person to seek management’s support. Ask a business executive who “gets it” to speak with their peers about the importance of specific and immediate cybersecurity needs. If your security committee (see 1) is effective, this cross-enterprise support will grow over time. Encourage the leaders, innovators and early adopters to work on winning over the laggards.
4) Deliver a “security roadshow” briefing to legislature, elected officials, agency heads, budget officials and department directors at least annually. Use metrics and case studies to illustrate the specific topics that affect your clients. Allow for plenty of open dialogue and Q&A. Make this security briefing part of your customer service approach and always address specific actions that will reduce risk for that customer. When necessary, ask for additional resources in clear and simple terms.
5) If you can’t beat them – join them. “Get on the boats that are leaving the dock.” Leverage hot-button issues that are being funded. Participate in projects that are already getting funded; ensure that security is built in from the outset. For important initiatives, get a seat at the table as a committee member or key resource. Go beyond your basic duties to support the success of related teams.
6) Identify and point to other governments’ best-practice cybersecurity projects. It’s tough to persuade the budget office even if you have their respect. Pointing to successful government initiatives can win over skeptical execs who want real-world proof that a specific project is worth funding.
7) Partner with others outside your organisation. Look at opportunities available in the private sector, other governments, the Multi-State Information Sharing and Analysis Center (MS-ISAC), National Governors Association (NGA), US Department of Homeland Security (DHS), and NASCIO. As you build your security strategies, don’t forget to collaborate with groups that have a wider view and deeper pockets.
Be Prepared and Persistent
Remember that government budgets often go through pendulum swings throughout the fiscal year. In some cases “end of the year fallout money” becomes available as the fiscal year closes. Be prepared to jump on such opportunities. Always have your prioritised wish list ready in case management asks, “What do you need?”
Timing is essential. Don’t give up after an initial rejection. It’s all about the right idea at the right place at the right time at the right price—with the right person delivering the message to the right decision maker.
I’d love to hear your strategies for gaining executive support for cybersecurity.
About Daniel J. Lohrmann
Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist and author. During his distinguished career, Lohrmann has served global organizations in the public and private sectors in a variety of executive leadership capacities, including enterprise-wide Chief Security Officer (CSO), Chief Technology Officer (CTO) and Chief Information Security Officer (CISO) roles in Michigan.
Lohrmann joined Security Mentor, Inc. in August, 2014, and he currently serves as the Chief Security Officer (CSO) and Chief Strategist for this award-winning training company. He is leading the development and implementation of Security Mentor’s industry-leading cyber training, consulting and workshops for end users, managers and executives in the public and private sectors.
This article is brought to you by Enex TestLab, content directors for CSO Australia.