5 Ways to Initiate Communication about Cybersecurity

Well-planned cybersecurity roadshows can help get agencies on board and up to speed.

by / January/February 2018

While I was chief security officer (CSO) in Michigan, the most impactful way our centralized security team communicated with executives was with regular security roadshows with client agencies. Important information was exchanged during these annual sessions in front of top business leaders, including physical- and cyberthreat briefings, key project status updates, discussions on security capabilities, conversations on staff awareness training programs, and ongoing incident status reports.

While we packed a lot of topics into an hour, our format encouraged an open dialog with everyone involved to build face-to-face transparency, accountability and trust. But before we traveled around to meet with government leaders in each department such as state police, transportation, treasury and more, we started each governmentwide cybertour with the governor.

These meetings were important because they brought our security project scorecard to life with statewide metrics and agency-specific actions. They enabled ongoing conversations regarding cybersecurity risks and outlined the steps that were being taken or could be taken to mitigate threats. Our stated goal was “to balance security and ease of use to maximize value and enable the business.”

So how can you begin this security conversation with business areas in your government? Here are five communication tips to consider: 

1. Do Your Homework. Decide who should be involved, what topics and materials will be covered, when to put these meetings on busy calendars, where you will meet, and how you will run the meetings. As CSO, I let the business areas select their executive participants, and some groups kept it small, while others invited up to 30 agency leaders. Also, if scheduling the time isn’t working, you likely have a larger business priority issue regarding cybersecurity.

2. Select Good Metrics and Keep Reporting. Just as businesses maintain key metrics of success, offer measurements that are understandable and repeatable as part of the ongoing security conversation. 

3. Adapt to the Audience. While a consistent, updated enterprise presentation was offered every year on our roadshow, we also adjusted our messages to each audience. Flexibility is especially needed when meeting with new agency leaders who need to bone up on security concepts.

4. Don’t Limit Communication Options. Security roadshows should be a part of a wider set of ways you communicate with business groups. Channels can range from newsletters to emails to tabletop exercises to emergency call lists for incidents. We also invited our government partners to our cybersummits and scheduled one-on-one lunches. Nevertheless, ongoing security roadshows were a vital component of our overall cyberstrategy.

5. Leverage Existing Governance Mechanisms. One chief information security officer I know uses technology and security advisory boards to help provide briefings to key business executive staff, while also keeping the governor’s office and cabinet officials informed. He also uses the same briefings for cabinet meetings, legislative committees and updating other government entities that have an ongoing role. For low-hanging fruit: Start small with key business areas.

Having a strong endorsement from top elected officials is great, but (sadly) is not always the case. If you can’t get your top leader to vocally support cybersecurity, try to find business-side champions to help shape your message. Most organizations have leaders, followers and laggards on tech, so start with a “coalition of the willing” who support your efforts to get some needed momentum.

Remember, the top complaint in most public- and private-sector organizations is a lack of good communication on key issues, including cybersecurity. Security roadshows will improve your team’s effectiveness by offering meaningful dialog with business executives on cybersecurity risk.

Dan Lohrmann Chief Security Officer & Chief Strategist at Security Mentor Inc.

Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist, keynote speaker and author.

During his distinguished career, he has served global organizations in the public and private sectors in a variety of executive leadership capacities, receiving numerous national awards including: CSO of the Year, Public Official of the Year and Computerworld Premier 100 IT Leader.
Lohrmann led Michigan government’s cybersecurity and technology infrastructure teams from May 2002 to August 2014, including enterprisewide Chief Security Officer (CSO), Chief Technology Officer (CTO) and Chief Information Security Officer (CISO) roles in Michigan.

He currently serves as the Chief Security Officer (CSO) and Chief Strategist for Security Mentor Inc. He is leading the development and implementation of Security Mentor’s industry-leading cyber training, consulting and workshops for end users, managers and executives in the public and private sectors. He has advised senior leaders at the White House, National Governors Association (NGA), National Association of State CIOs (NASCIO), U.S. Department of Homeland Security (DHS), federal, state and local government agencies, Fortune 500 companies, small businesses and nonprofit institutions.

He has more than 30 years of experience in the computer industry, beginning his career with the National Security Agency. He worked for three years in England as a senior network engineer for Lockheed Martin (formerly Loral Aerospace) and for four years as a technical director for ManTech International in a US/UK military facility.

Lohrmann is the author of two books: Virtual Integrity: Faithfully Navigating the Brave New Web and BYOD for You: The Guide to Bring Your Own Device to Work. He has been a keynote speaker at global security and technology conferences from South Africa to Dubai and from Washington, D.C., to Moscow.

He holds a master's degree in computer science (CS) from Johns Hopkins University in Baltimore, and a bachelor's degree in CS from Valparaiso University in Indiana.

Follow Lohrmann on Twitter at: @govcso