For Elected Officials: A Guide to Address Online Security

Elected officials often fail to prioritize cybersecurity until after a data breach when it's too late. So what are the important security issues and actions that are needed by state and local elected officials right now? A new guide by Governing magazine and CGI was just released to answer that question.

by / September 20, 2015

Credit: Governing and CGI Group

News headlines announcing major data breaches occur almost daily. In fact, the magnitude of these breach stories is so vast that smaller data breaches and security incidents happening around the country in many state and local governments often receive much less public attention. Nevertheless, data breaches and other cybersecurity incidents are now happening all across America at an alarming rate with significant impacts to citizen privacy.

This serious cybersecurity situation urgently requires the attention of elected officials. While there are many checklists and an assortment of executive guides for government technology leaders regarding recommended online security actions, there has been far less attention on needed actions for elected officials and political leaders – until recently.

Governing magazine and CGI just released this new: Guide to Cybersecurity as Risk Management for Elected Officials. This important white paper helps elected leaders by:

• Spelling out cybersecurity risks and providing information to help public officials fulfill their responsibilities and safeguard their communities.

• Suggesting strategies for integrating cybersecurity into an organization’s risk management framework, and developing and adapting cybersecurity and cyberdisruption response policies and plans.

• Discussing the private sector’s role in government cybersecurity efforts; although governments are often leery of collaborating and sharing with third parties, when it comes to cybersecurity, the private sector’s involvement is imperative.

• Offering practical and actionable information to support the cybersecurity risk management efforts of elected officials.

I think this new guide offers an important service to elected leaders, and is a must-read – especially for those who do not have a technology background or deep understanding of cybersecurity or Internet privacy issues affecting their constituents.

Background on Similar Efforts to Help Elected Officials With Cybersecurity

There have been several reports and some helpful training materials over the past few years to inform new and returning elected leaders regarding cybersecurity challenges facing our nation – and especially state and local governments.

A few years back, the Multi-State Information Sharing & Analysis Center (MS-ISAC) sent out this tutorial and checklist to local elected leaders with the financial support of the U.S. Department of Homeland Security. The pamphlet was called: “Local Government Cyber Security: Getting Started - A Non-Technical Guide Essential for Elected Officials Administrative Officials Business Managers.”

That guide was endorsed by a long list of organizations such as: The Global Council Public Safety and Security, National Cyber Security Alliance, National Association of Counties (NACo) and many information sharing and analysis centers. It covered a glossary of terms, discussion on why cybersecurity is important, and several lists of recommended actions.

Last year, NACO held a session on cybersecurity for elected officials. Those presentation slides cover lists of potential causes and outcomes from data breaches.

What can happen if a breach occurs? The presentation mentions:

• Political Fallout
• Damage to reputation
• Compliance obligations
• Federal investigations
• Investigations by State Attorney
• General Possible Civil litigation

They could have also added financial impact to other state and local government priorities.

Further, this direct statement is made: “County governments and county officials are not exempted from compliance with applicable laws aimed at protecting personally identifiable information and may be subject to penalties and fines.”

Finally, this National Conference of State Legislatures (NCSL) article from December 2014, pointed out that states must have a cybersecurity plan. The article offers some good tips to consider. Also, the overall NCSL website offers this list of state government breach notification laws.

Credit: Governing and CGI Group

Details on New Governing & CGI Guide for Elected Officials

So what makes this new Governing & CGI guide on cybersecurity a must-read right now? The precision and punch of some of the headings, which give an instantaneous sense of the relevance and utility of the content. 

The actions that need to be taken by the administrator for unique executive, confidentiality security concerns including legal provisions that apply to selected elected positions and perhaps selected process and technical considerations (not servers), but more general actions. 

One of the things that I like best about the Guide to Cybersecurity as Risk Management for Elected Officials includes the list of how lawmakers can be a part of the cybersecurity effort. Here are some example actions recommended: 

1. Support and promote risk-based cybersecurity management in both the public and private sectors, including the adoption of the NIST Cybersecurity Framework.

2. Collaborate closely with agency executives, CIOs and CISOs. Invite them to appropriate legislative meetings to educate yourself and fellow lawmakers on the organization’s cybersecurity philosophies, strategies and needs, and to help elevate their department and mission.

3. Be a vocal advocate for strong cybersecurity public education programs. As a lawmaker, you can draw on increased public awareness of the importance of secure government technology infrastructure to pass legislation and secure funding.

4. Prioritize cybersecurity funding. Work with the executive branch, agency heads and security experts to understand fiscal requirements. Do they have the appropriate levels of funding, staffing and other resources? If not, can they partner externally to supplement internal capabilities? Collaborate with agency experts and allies in the legislature and private sector to identify and support appropriate cybersecurity funding.

5. Promote cybersecurity as a key economic driver and a critical component of a thriving business and technology culture. Develop business friendly programs to understand community needs; provide education, training opportunities and job fairs to strengthen the cybersecurity workforce; and showcase security best practices and innovation.

6. Facilitate intergovernmental (i.e., executive, judicial, legislative, federal, state and local) communication and collaboration about cybersecurity threats, issues and plans.

7. Propose and/or support legislation that enables easier sharing of information about cyberthreats among federal, state and local government agencies and with the private sector.

8. Work to toughen laws that protect citizen and government data. For example, evaluate breach notification laws that determine when a breach has occurred, or the state’s definition of personally identifiable information (PII).

9. Promote cybersecurity in schools. A top hiring challenge nationally is finding qualified individuals with cybersecurity and data analytics talent. Promoting these programs in all levels of public and private education will not only help create a more educated society, but also will help solve a critical talent shortage and drive economic development in this emerging industry.


The Governing guide closes with five immediate recommendations. While I won’t list the details under each item here, I will close with these items for us all to consider – especially for elected leaders as we head into 2015:

• Apply risk-based management to cybersecurity planning.
• Adopt the NIST Cybersecurity Framework.
• Collaborate internally and externally.
• Be a cybersecurity leader and advocate.
• Educate and promote cybersecurity.

I really like the way Governing covers an immense amount of essential information for political leaders in one place. Even if you feel that you already know about these threats and solutions, I urge readers to take a close look and share this information with elected leaders or other government officials in your area.

Best of all: The PDF download is free.


Dan Lohrmann Chief Security Officer & Chief Strategist at Security Mentor Inc.

Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist, keynote speaker and author.

During his distinguished career, he has served global organizations in the public and private sectors in a variety of executive leadership capacities, receiving numerous national awards including: CSO of the Year, Public Official of the Year and Computerworld Premier 100 IT Leader.
Lohrmann led Michigan government’s cybersecurity and technology infrastructure teams from May 2002 to August 2014, including enterprisewide Chief Security Officer (CSO), Chief Technology Officer (CTO) and Chief Information Security Officer (CISO) roles in Michigan.

He currently serves as the Chief Security Officer (CSO) and Chief Strategist for Security Mentor Inc. He is leading the development and implementation of Security Mentor’s industry-leading cyber training, consulting and workshops for end users, managers and executives in the public and private sectors. He has advised senior leaders at the White House, National Governors Association (NGA), National Association of State CIOs (NASCIO), U.S. Department of Homeland Security (DHS), federal, state and local government agencies, Fortune 500 companies, small businesses and nonprofit institutions.

He has more than 30 years of experience in the computer industry, beginning his career with the National Security Agency. He worked for three years in England as a senior network engineer for Lockheed Martin (formerly Loral Aerospace) and for four years as a technical director for ManTech International in a US/UK military facility.

Lohrmann is the author of two books: Virtual Integrity: Faithfully Navigating the Brave New Web and BYOD for You: The Guide to Bring Your Own Device to Work. He has been a keynote speaker at global security and technology conferences from South Africa to Dubai and from Washington, D.C., to Moscow.

He holds a master's degree in computer science (CS) from Johns Hopkins University in Baltimore, and a bachelor's degree in CS from Valparaiso University in Indiana.

Follow Lohrmann on Twitter at: @govcso