Why is it so hard to reduce risk and implement required online protections? I’m not talking about implementing bleeding-edge cyberproducts, but basic security improvements. Despite legal mandates, audit findings, public pronouncements of cybersupport and years of trying to strengthen system controls, many of the fundamental elements required to reduce risk still aren’t in place in governments around the country.

But failure isn’t unique to the security field. Everyone knows that a large percentage of technology projects fail. Great ideas, well thought-out plans and even top priorities never get implemented. The reasons for project failure vary widely, but commonly include lack of resources, poor project management requirements, conflicting priorities or the wrong staff working on tasks. And yet, all of these problems point to a core element of project success: executive buy-in and commitment. 

“You have my full support.” These are the words that CIOs want to hear whenever they try to sell the value of projects to customers, colleagues and management. But how can we get executive support for security projects?

Unfortunately gaining executive buy-in for increasing online protections is difficult, even in the best circumstances. To put it mildly, most executives have higher priorities than security spending — cyberprojects often seem like a tax to be reduced. In many cases, the most talented resources are deployed on hot business projects that (they think will) show an immediate return on investment (ROI). Meanwhile, demonstrating an ROI on security projects appears more difficult, if even achievable.

What’s to be done? How can government security personnel, IT leaders, project managers or others gain that all-important executive buy-in for cybersecurity? I’d like to offer a potential pitfall in this area and two solutions.

Beware of the FUD

A common way to get people’s attention is to scare the heck out of them. Security experts call this “fear, uncertainty and doubt” or FUD. Typically FUD is supported with scary headlines calling out third-world hackers, governments that lost money, victims of identity theft, etc. If you tack on large statistics detailing the number of spam messages sent your government’s way or successful phishing attempts, audiences will shake their heads, saying, “I’m glad this is your job and not mine.”

Yes, regularly updated FUD works, but management generally doesn’t respond long term to a fear-only approach. They eventually get to: How are you helping things? Is your team making a difference?

Jump On the Hot-Button Issues

So what’s more effective than FUD? First, jump on the boats that are already leaving the dock. (Make sure you get involved early and don’t have to bolt on security after the fact.) Have security elements to all of the hot projects that are funded priorities. Two super-hot issues are cloud computing and smartphones — however, this list changes over time. Ensure your most effective security professionals (with the best people skills) are on the hottest projects to ensure that your cybersecurity team stays relevant to the enterprise.

Tip — If you don’t have the skills on your cyberteam to keep up with the best and brightest on the hot projects, recruit differently or get contract help. You can’t afford to have your cyberambassadors be irrelevant.

Find a Business Champion

Second, find out who in your organization is backing cyberchange in powerful ways and get behind that snowplow. Surprisingly this may not be an IT manager. For example, I’ve seen security champions in the transportation and treasury departments. The senior execs in treasury were in charge of credit cards and needed payment card industry compliance. They pushed for extensive improvements in our network controls by demonstrating the penalties of noncompliance.

In transportation a few years ago, a senior exec wanted to set a positive example after “inappropriate use” cases arose. Now they’re model customers.

Tip — Watch for emerging leaders who may be sympathetic to previous cyberproposals. Try to repackage your good ideas, and don’t give up because of past disappointments.

John Q. Adams once said, “If your actions inspire others to dream more, learn more, do more and become more, you are a leader.” Our governments need cyberprotection leaders at all management levels — now more than ever.

Dan Lohrmann Dan Lohrmann  |  Contributing Writer

Daniel J. Lohrmann became Michigan's first chief security officer (CSO) and deputy director for cybersecurity and infrastructure protection in October 2011. Lohrmann is leading Michigan's development and implementation of a comprehensive security strategy for all of the state’s resources and infrastructure. His organization is providing Michigan with a single entity charged with the oversight of risk management and security issues associated with Michigan assets, property, systems and networks.

Lohrmann is a globally recognized author and blogger on technology and security topics. His keynote speeches have been heard at worldwide events, such as GovTech in South Africa, IDC Security Roadshow in Moscow, and the RSA Conference in San Francisco. He has been honored with numerous cybersecurity and technology leadership awards, including “CSO of the Year” by SC Magazine and “Public Official of the Year” by Governing magazine.

His Michigan government security team’s mission is to:

  • establish Michigan as a global leader in cyberawareness, training and citizen safety;
  • provide state agencies and their employees with a single entity charged with the oversight of risk management and security issues associated with state of Michigan assets, property, systems and networks;
  • develop and implement a comprehensive security strategy (Michigan Cyber Initiative) for all Michigan resources and infrastructure;
  • improve efficiency within the state’s Department of Technology, Management and Budget; and
  • provide combined focus on emergency management efforts.

He currently represents the National Association of State Chief Information Officers (NASCIO) on the IT Government Coordinating Council that’s led by the U.S. Department of Homeland Security. He also serves as an adviser on TechAmerica's Cloud Commission and the Global Cyber Roundtable.

From January 2009 until October 2011, Lohrmann served as Michigan's chief technology officer and director of infrastructure services administration. He led more than 750 technology staff and contractors in administering functions, such as technical architecture, project management, data center operations, systems integration, customer service (call) center support, PC and server administration, office automation and field services support.

Under Lohrmann’s leadership, Michigan established the award-winning Mi-Cloud data storage and hosting service, and his infrastructure team was recognized by NASCIO and others for best practices and for leading state and local governments in effective technology service delivery.

Earlier in his career, Lohrmann served as the state of Michigan's first chief information security officer (CISO) from May 2002 until January 2009. He directed Michigan's award-winning Office of Enterprise Security for almost seven years.

Lohrmann's first book, Virtual Integrity: Faithfully Navigating the Brave New Web, was published in November 2008.  Lohrmann was also the chairman of the board for 2008-2009 and past president (2006-2007) of the Michigan InfraGard Member's Alliance.

Prior to becoming Michigan's CISO, Lohrmann served as the senior technology executive for e-Michigan, where he published an award-winning academic paper titled The Michigan.gov Story — Reinventing State Government Online. He also served as director of IT and CIO for the Michigan Department of Management and Budget in the late 1990s.

Lohrmann has more than 26 years of experience in the computer industry, beginning his career with the National Security Agency. He worked for three years in England as a senior network engineer for Lockheed Martin (formerly Loral Aerospace) and for four years as a technical director for ManTech International in a U.S./UK military facility.

Lohrmann is a distinguished guest lecturer for Norwich University in the field of information assurance. He also has been a keynote speaker at IT events around the world, including numerous SecureWorld and ITEC conferences in addition to online webinars and podcasts. He has been featured in numerous daily newspapers, radio programs and magazines. Lohrmann writes a bimonthly column for Public CIO magazine on cybersecurity. He's published articles on security, technology management, cross-boundary integration, building e-government applications, cloud computing, virtualization and securing portals.

He holds a master’s degree in computer science from Johns Hopkins University in Baltimore and a bachelor’s degree in computer science from Valparaiso University in Indiana.

NOTE: The columns here are Dan Lohrmann's own views. The opinions expressed do not necessarily represent the state of Michigan's official positions.

Recent Awards:
2011 Technology Leadership Award: InfoWorld
Premier 100 IT Leader for 2010: Computerworld magazine
2009 Top Doers, Dreamers and Drivers: Government Technology magazine
Public Official of the Year: Governing magazine — November 2008
CSO of the Year: SC Magazine — April 2008
Top 25 in Security Industry: Security magazine — December 2007
Compass Award: CSO Magazine — March 2007
Information Security Executive of the Year: Central Award 2006