I know, most of you are thinking, “Thanks for the advice, but that won’t be necessary.”
Digging deeper, most politicians and their appointed executives often say something to the effect of, “Cybersecurity is already a top concern. We understand that the National Association of State Chief Information Officers has made cyber defense the top priority for the past decade-plus, and we’ve seen how ransomware has ravaged the public and private sectors. We’ve been briefed on foreign adversary mischief online, and the cyber attacks just keep coming against our government. But have no fear, we’ve got this. Been there, done that, got the T-shirt.”
But that old mindset will no longer suffice.
Why? Because the messages, actions and urgency set from the top of the government impact your organization’s risk profile, and the due diligence required to ensure critical infrastructure resiliency cannot be left to lower-level appointees.
Also, last year’s cyber program will not be enough to address tomorrow’s cyber challenges. Even if your government has been successful at addressing cyber attacks and ransomware threats so far, our rapidly expanding digital world is bringing new, even greater stakes and greater tests in the future. Sadly, the bad actors are improving as fast or faster than the good guys.
Neglecting cybersecurity can:
- Undermine the reputation of both the government and elected officials;
- Force unacceptable expenditures associated with the cost of cleaning up after security breaches;
- Cripple governments’ abilities to respond to a wide variety of homeland security emergency situations or recover from natural or manmade threats;
- Disable elected officials’ ability to govern.
First, I’ve never seen any public- or private-sector executive leader say, “Cybersecurity is not important or a low priority.” Such statements would harm credibility. Just as in physical health, everyone agrees that good cyber hygiene makes sense and actions like patching servers, solid identity management and having an incident response plan are important.
However, actions often don’t match the words. What is more common is for government organizations to treat cybersecurity as an annual event that comes and goes, or a check-the-box requirement needed for compliance or to address audit findings.
Elected and appointed leaders need to make cybersecurity a true priority and a core part of government culture. Talk about cyber protections often — and walk the talk. Surround yourself with experts who can advise your organization on best practices from similar governments around the country.
Second, many government leaders believe that cybersecurity is just another subcategory under technology. One reason is that from a governance perspective, the state’s chief information security officer generally reports to the CIO, who runs technology.
But cybersecurity is a business risk issue that will either strengthen or harm your entire government strategy. Security experts agree that what is needed is a robust system of governance and accountability that starts at the top and is similar to the way that risk is managed in other parts of government.
Government leaders have come to expect that dashboards and action plans be put in place to track revenues, spending, project status on key government initiatives and much more — and cybersecurity metrics should be a part of that executive-level dashboard.
Third, the NIST Cybersecurity Framework is a great place to gain direction and guidance, and it covers how organizations of any size can improve cybersecurity risk management by identifying, protecting, detecting, responding to and recovering from inevitable cyber attacks.
But regardless of the framework used, your employees, clients, constituents, partners and others you interact with need to see leadership on cybersecurity from the top.
The exciting mandate that comes with a new or re-elected administration is the perfect time to realign — or even start over — on cybersecurity. As Theodore Roosevelt once said, “In any moment of decision, the best thing you can do is the right thing, the next best thing is the wrong thing and the worst thing you can do is nothing.”