“I oppose security!” Have you ever heard a government executive say that?
I never have.
Or, have you ever overheard a statement similar to, “I think protecting personal data and sensitive information on our networks is a bad idea.”
In fact, over the past several decades working with all levels of government, I never met a politician from either end of the political spectrum who supports data breaches, or denial of service attacks or disruptions to our critical infrastructure or identity theft through hacking.
Going further, it is unlikely that any senior government executive, director, manager, supervisor, analyst or even student intern openly advocates weak computer network defenses, encourages widespread unauthorized access to critical systems or even champions poor cyber hygiene.
Nevertheless, when security and technology professionals look back at their government security programs at the federal, state and local levels over the years, they often find that funding actions don’t always match the public statements. When it comes to vocal support for information security, cybersecurity, privacy of data, network defenses, the training of staff in cyber awareness or whatever label you give to your computer security programs and projects, other priorities often get more attention and the limited resources.
More often than not, few words are spoken by public sector leaders about cybersecurity, unless a breach occurs. In most situations, silence can be even more of a concern than vocal opposition, since the needed conversations never happen.
First Step: Truly Understanding Your Situation Regarding Executive Support
Over the years, I have observed several familiar patterns regarding the lack of backing for government cybersecurity programs. While the global support situation is no doubt improving, we need to learn from past mistakes to improve in the future. We must also remember that our online adversaries continue to grow and adapt to our new online defenses.
In most situations, government decision-makers fall into the traditional adoption categorization curve regarding support for cybersecurity programs and projects. This curve includes the categories: innovators, early adopters, early majority, late majority and laggards. (Note: The percentage breakdowns listed in the hyperlinked chart aren’t necessarily the same for cybersecurity as for other technology areas, but that is a different discussion for another day.)
While is it certainly true that no one wants a data breach on their watch, there are a variety of reasons why government managers (from the technology or the business side of the house) may be slow to champion the implementation of better security controls or to allocate more resources to cybersecurity, as opposed to other government priorities.
Yes, the situation seems to be improving for many cyber programs. There is no doubt that awareness of security threats has grown amongst government personal because of the number of high-profile data breaches in the news, the new laws affecting personal data and the compliance mandates that guide health care data, credit cards, tax information and more.
And yet, I never cease to be amazed by the hurdles, barricades and even brick walls that seem to exist in some government organizations regarding the implementation of needed security protections. It is common for other priorities to get more attention and funding – often because the political leadership was elected on the promise to support initiatives such as education, roads, health care or other areas more easily seen by the public.
Simple stated, the needed resources are often not allocated to adequately protect the data or run government cybersecurity programs. For more details on these problems, you can review this Deloitte-NASCIO Cybersecurity Study that came out in 2014 which covers cybersecurity perspectives in state governments.
Here are a few select quotes from that study:
- State officials are often more confident than Chief Information Security Officers (CISOs) regarding the online protections in place.
- State CISOs are struggling to recruit and retain people with the right skills.
- CISOs continued to cite the lack of adequate funding as the top barrier to program effectiveness, consistent with both the 2010 and 2012 surveys.
What Strategies Can Help?
But enough about the problems. How can security and technology professionals overcome these difficulties?
One popular approach that does not work in the long run is to just scare the heck out of everyone by focusing on breach headlines. The common term for this tactic is a “FUD briefing” which stands for spreading fear, uncertainty and doubt. While a few recent scary news headlines about breaches can be used like a good appetizer before the main course, veteran security pros understand that lasting support requires building trust with management, delivering meaning results on key projects and providing metrics on your program’s effectiveness.
Here are seven ways that have been proven to work around the country with security and technology leaders in the public and private sectors. Whether you have a centralized, decentralized or hybrid governance model, consider trying one or more of these approaches to gain additional resources and influence in your situation.
1) Establish a security committee that includes business leaders. Build a security committee that includes influential representatives from the business-side clients you support, the technology infrastructure personnel, application development leaders you work with as well as other key decision-makers in your enterprise. Having support from legal, HR, internal audit and other areas will enable a wider support network for security initiatives. Once established, meet regularly (such as once a month) and ensure that threats are being discussed and risks are being mitigated. Make sure customer concerns are being addressed.
2) Do lunch and build personal relationships and trust with key decision-makers. In government, reputations are gained regarding who delivers and who doesn’t, and you are often working with the same group of technology and business professionals for years. You need to go out of your way to grow, nurture and strengthen your professional network.
Here’s an example from a blog I wrote several years ago for CSO Magazine regarding the separation of specific security issues from relationships with colleagues.
“Have there been disagreements. You betcha! Sometimes, you need to stand your ground and not compromise on important principles. But I try to not hold grudges or build unnecessary walls if final decisions don’t go my way. Yes, we try to build WIN/WIN solutions with customers, but if I win a tough (WIN/LOSE) argument, I attempt to immediately go out of my way to mend fences and strengthen the partnership with the customer involved. It always helps, since there is usually a “next time.”
If you get together and listen to your customers over lunch, you will naturally build relationships that will outlive bad things that happen like a denial of service attack, arguments over changes to the password policy or embarrassing audit findings….”
3) Find a business champion. Have an innovative executive from business side speak to executives who are slow adopters. Sometimes,the security or technology executive is not the best person to gain the required management support. Try working with a business executive that “gets it” and ask them to speak with their peers about the importance of specific cybersecurity protections needed now - not general support over the long-term.
If your security committee (see item #1) is effective, this type of cross-enterprise support will grow over time. Simply stated, have the leaders, innovators and early adopters (mentioned above) win over the laggards.
4) Deliver a “security roadshow” to brief your legislature, elected officials, agency heads, budget officials and department directors at least annually. In an hour or less, cover specific topics that affect your clients and their unique business situations and needs. Use metrics, true stories and allow for plenty of open dialogue and Q/A. Make this regular security briefing part of your customer service approach and always have specific actions to address to reduce risk for that customer. In simple terms, ask for their support if additional resources are needed.
In a related item, you can build public support from citizens, business groups, and other partners with a public roadshow that goes beyond your immediate circle or enterprise such as this cyber breakfast program that Michigan Governor Snyder supported and championed.
5) Leverage hot-button issues that are being funded. If you can’t beat them – join them. This means you participate in the projects that are getting funded. Think about how to: “Get on those boats that are leaving the dock.”
Do this by ensuring that security is built into these funded projects in your government. Make sure you have a seat at the table as a committee member or key resource for important initiatives. Go beyond your basic duties and help the wider technology and business teams succeed.
6) Point to other government's best-practice cybersecurity project examples. Ask: What has worked around the country in situations similar to mine? Sometimes, it is tough to win the argument with the budget office, even when you have their respect and trust. Pointing to other governments that have been successful can help you win-over skeptical execs that want to see proof that a specific project is worth funding.
One example: Review the security projects at the National Association of Chief Information Officers (NASCIO) Awards website at www.nascio.org/awards. Look at top projects for the past few years to get ideas and see how they demonstrated return on investment (ROI).
7) Partner with others outside your organization. Look at opportunities available from other governments, the Multi-State Information Sharing & Analysis Center (MS-ISAC), National Governors Association (NGA), US Department of Homeland Security (DHS), NASCIO and the private sector. As you build your security strategies, don’t forget that services may be more effective if you work with other groups that have a wider-view and perhaps other resources that you don’t have.
Local governments need to work with their states. States should be working with federal counterparts. You can learn more about some of these opportunities in this Govtech.com blog on the MS-ISAC from last year.
Another good way to gain resources and support is by establishing public / private partnerships. Non-profit organizations and private sector leaders can offer grants and resources as well as provide another voice to senior decision-makers who have many external relationships. Some private sector companies can even help you gain support funding for needed projects, but ensure you are following ethics rules.
The recent Summit on State Cybersecurity that NGA and NASCIO sponsored last week in California was very encouraging in this regard. This Summit brought together diverse groups from across the US to work together on cybersecurity priorities and programs from all parts of government enterprise and not just the technology shops. Examples were provided that can be used to build your case.
Remember that government budgets often go through pendulum swings throughout the fiscal year for a variety of reasons. In some cases “end of the year fallout money” becomes available as the fiscal year closes or if revenue exceeds previous budget forecasts.
Don't be unprepared when the wind changes. Always have your list of needed cybersecurity priority project items and purchases ready to go when management eventually says, “What do you need?”
Also, timing is essential. Just because an idea or project didn’t get approved last year, doesn’t mean it won’t gain support this year. Think in terms of: The right idea at the right place at the right time at the right price with the right person delivering the message to the right decision maker. Work with your procurement officials to ensure that the purchasing process runs smoothly.
I’d love to hear your strategies for gaining executive support for cybersecurity. Feel free to leave a comment.