IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

10 Dos and Don’ts for Government Cybersecurity Leaders

The new decade offers more challenges for cybersecurity leaders than ever, from tracking evolving threats to navigating budget constraints. Keep these best practices in mind for effective security management.

An abstract background concept of a cybersecurity map.
Effective leadership is never easy.  

But for government cyberleaders in the 2020s, the challenge is perhaps more daunting than ever before. From keeping track of exploding cyberthreats to acquiring and retaining talented pros for your public-sector team to championing the importance of cybersecurity to managing budget priorities in tough economic times, the list of responsibilities and expectations is growing steadily.  

Add the remote working changes in people, processes and technology that enterprises faced in 2020, along with other pandemic pressures, and it is amazing that security leaders keep coming back each day. So how can cyberchiefs traverse this hectic landscape?    

Here are 10 best practices that come from a list of security industry resources, five dos and five don’ts for new and veteran government cyberleaders. Even if you’ve heard some of these tips before, ask a trusted colleague to help assess how you are doing in each area. I’ll start with what not to do:

1. Don’t be “Doctor No.” Security professionals are infamous for shooting down whatever ideas or new technologies business areas propose to improve. Typical answer: “Can’t do that! Not secure!” Instead, get to “yes” on projects. Be known as an enabler of new technologies. Offer alternative solutions that can work at different price points with varying levels of risk that are understood by the business. If your team is having difficulty coming up with workable options, do more research or talk with similar governments in other parts of the country about how they implemented similar solutions.  

2. Don’t stop communicating. Poor communication is listed as the top hindrance for organizations globally. Many security leaders start off well, but fail to communicate 360 degrees in an ongoing manner via a variety of channels. Instead, security leaders must constantly be providing timely updates and cyberawareness to internal and external clients. Consider regular security “road shows” to customers to articulate threats, describe actions required and show the value that your security organization is providing.    

3. Don’t stay inward-focused. One tendency for gov tech leaders is to just focus on internal audit findings, data breaches or other incidents. The immediate problems may be so overwhelming that it seems there is no time to look outside your organization to get help or give help. Instead, build lasting partnerships. “Security on an island” will fail. You don’t know what you don’t know, so get involved with groups like the MS-ISAC for collaboration. Also, consider the security committees for the National Governors Association, the Public Technology Institute, the National Association of State Chief Information Officers and vendor partners with helpful case studies addressing your cyberissues.  

4. Don’t become overconfident. Surprisingly, a significant number of government security leaders report that everything is fine on the security front. “No data breaches here!” This is often overconfidence in their team’s abilities, or perhaps the fruits of a job well done. Instead, stay humble and vigilant. Even if you have been able to successfully navigate your leadership challenges so far, you never know what tomorrow will bring. Bad actors are trying harder than ever to overcome your cyberdefenses.  

5. Don’t forget to celebrate success. Since securing the enterprise is never complete, some never stop to enjoy project success. Be sure to thank your staff. Throw a party when key milestones are complete.  

And here are five more things you should do:

1. Do meet with business leaders regularly. Do lunch, and not just with technology or security pros. Discuss their unique business requirements and goals, not just your team’s strengths and weaknesses.  

2. Do have a plan. Cyberstrategies that work together with wider technology goals are a must. If you are struggling to plan, review peer strategies from government leaders you trust and respect.   

3. Do practice. Partner with other governments, criminal justice agencies, nonprofits and others on tabletop exercises surrounding security incident response.

4. Do find and/or be a mentor. The MS-ISAC mentoring program is a great place to start.  

5. Do persevere. Become a resilient team. You can do this, and there are many people eager to help.

Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist, keynote speaker and author.