What’s the most important aspect of improving cybersecurity?
A) Implementing state-of-the-art technology that works;
B) Re-engineering the processes that businesses use to apply appropriate security policy; or
C) Changing the security culture in an organization.
Most experts think the answer is C. Why? One leading security consultant said that despite the fact that beneficial organizational improvements require changes in people, processes and technology, more than 90 percent of the difficulty is in modifying behaviors of end users, systems administrators and even senior management.
Whether or not you agree, this leads to other vital questions: What is your government doing to impact the security culture? How can we, as security and technology leaders, motivate, influence and impact thousands of people? What really works, and what activities bring the greatest ROI for our time and money?
A typical response is to offer employee training, which most governments provide to meet compliance requirements, and updated security training for technical staff. Many leading companies even bring in professionals who specialize in building organizational change programs.
But I’d like to suggest a more focused and personal approach: Find a mentor from another part of the country or a seasoned security pro who can mentor a recently appointed security leader.
Mentoring works because it allows newer leaders to learn from their predecessors’ mistakes and successes. Numerous studies and white papers have shown the benefits of benchmarking. Having a mentor can build some of that same synergy, but on a more personal level with someone who is trying to help you become more effective.
In 2009, Forbes magazine answered the question: Who needs an executive coach? Here’s the beginning: “Executive coaching is hot. What was once stigma (‘You’re so broken you need a coach?’) has become status symbol (‘You’re so valuable you get a coach?’). Tiger Woods and Michael Phelps have coaches. Even President Barack Obama has a coach, if you count David Axelrod. Microsoft’s young, high-potential leaders get coaches. If elite athletes and organizations think they need coaches, shouldn’t you have one too?”
The article states that coaching isn’t for everyone, but excellent candidates are important leaders who have evolving roles that greatly affect an organization in powerful ways. Other experts said the keys to successful mentoring include: a willingness to learn and be mentored; an openness to discuss sensitive work-related topics; selecting a mentor and mentee who aren’t in the direct management chain; and giving the relationship the appropriate priority with a reasonable time commitment.
This year, the Multi-State Information Sharing and Analysis Center (MS-ISAC) the center for sharing cybersecurity threat and response information launched a one-year mentoring pilot program in which nine state and local security professionals are mentors and nine newer cybersecurity leaders are being mentored by someone outside their state.
Participants mainly include chief security officers and chief information security officers, but a few junior leaders also are seeking to improve their security skills. The pilot comprises monthly phone conversations as well as face-to-face discussions at the MS-ISAC Annual Meeting.
The mentoring program has several objectives, including:
Improve the useful sharing of security best practices and organizational insights on what really works among state and local governments.
Build a government security culture that improves cyberdefense nationwide by making the people a priority.
In conclusion, Seneca once said, “Even while men teach, they learn.” I am looking forward to learning, as a security mentor.
Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist, keynote speaker and author.
During his distinguished career, he has served global organizations in the public and private sectors in a variety of executive leadership capacities, receiving numerous national awards including: CSO of the Year, Public Official of the Year and Computerworld Premier 100 IT Leader.
Lohrmann led Michigan government’s cybersecurity and technology infrastructure teams from May 2002 to August 2014, including enterprisewide Chief Security Officer (CSO), Chief Technology Officer (CTO) and Chief Information Security Officer (CISO) roles in Michigan.
He currently serves as the Chief Security Officer (CSO) and Chief Strategist for Security Mentor Inc. He is leading the development and implementation of Security Mentor’s industry-leading cyber training, consulting and workshops for end users, managers and executives in the public and private sectors. He has advised senior leaders at the White House, National Governors Association (NGA), National Association of State CIOs (NASCIO), U.S. Department of Homeland Security (DHS), federal, state and local government agencies, Fortune 500 companies, small businesses and nonprofit institutions.
He has more than 30 years of experience in the computer industry, beginning his career with the National Security Agency. He worked for three years in England as a senior network engineer for Lockheed Martin (formerly Loral Aerospace) and for four years as a technical director for ManTech International in a US/UK military facility.
Lohrmann is the author of two books: Virtual Integrity: Faithfully Navigating the Brave New Web and BYOD for You: The Guide to Bring Your Own Device to Work. He has been a keynote speaker at global security and technology conferences from South Africa to Dubai and from Washington, D.C., to Moscow.
He holds a master's degree in computer science (CS) from Johns Hopkins University in Baltimore, and a bachelor's degree in CS from Valparaiso University in Indiana.
Follow Lohrmann on Twitter at: @govcso