We all know that best practices require attention to people, processes and technology. As you might expect, almost all of the top challenges start with people issues, such as finding and keeping the right cyber professionals with experience. And when those top-notch government staff or contractors leave, ensuring that operational processes and procedures are maintained, despite staff turnover, becomes a huge headache for CIOs and CISOs.
It is also widely understood that ensuring proper coverage for vacations, emergencies and turnover is best dealt with by having well-trained experts to cover for others when needed. And yet, cross-training of cyber skills and keeping the needed depth of staff resources with the ability to cover critical functions when the unexpected occurs seems to be harder than ever in 2023.
Meanwhile, executives generally assume that everything is being done right because millions of dollars are being spent on cybersecurity. Management thinks, “We’ve got this covered. Our team is great. It won’t happen to us.”
And even if your team has performed incident response miracles in the past, that does not guarantee they can do it again. Perhaps the team is worn out and ill-equipped to keep performing at a top level. I’ve seen burnt-out teams leading to a staff exodus, causing resiliency issues. Good management understands that, like when emergency management responds to a natural disaster, cyber incident response teams can only go for so long.
Management might also assume that outsourced functions are being taken care of properly, but it’s important to remember that while you can partner with vendors, you can never outsource responsibility.
Beyond just getting more bodies to help, another way of looking at solutions to this set of resiliency challenges is to examine the common reasons given for organizational failure when cyber attacks cause significant disruptions to operations.
In the last chapter of the book Cyber Mayday and the Day After, which I co-authored with Shamane Tan, we examine excuses that teams often give for not implementing cybersecurity best practices. Sadly, these conversations often only occur after a major incident.
Excuse: We couldn’t afford it.
Questions to ask: Are there other areas where we’re spending our budget that can be reallocated? How does our budget align with the company strategy and business risk?
Tip: Cybersecurity budget and resources must be prioritized.
Excuse: We didn’t understand why it was necessary.
Questions to ask: What is the current security awareness culture like among the leadership team and the different divisions?
Tip: Team education is an ongoing must-have.
Excuse: We tried that before and it didn’t work.
Questions to ask: What was the environment like before when it didn’t work? What were the reasons it failed? How can change be made and executed differently this time? Have you looked at the mechanics of influence?
Tip: The right time, place, product, team and culture are needed for success. It may be best to try again.
Excuse: We thought we had a better way.
Questions to ask: Have you consulted with the right (expert) sources before coming to this decision? If an incident should happen and the organization comes under scrutiny, is there documented evidence that due diligence has been done?
Tip: Choose strategy wisely — with backup data that is documented.
It has never been easy to maintain top-notch backup staff for any technology or security function in the public or private sectors. And yet leading organizations, such as the military, have built an ongoing culture of excellence. Their thinking is that, despite turnover, cross-training can yield operational excellence — even when the unexpected occurs.
This story originally appeared in the April/May issue of Government Technology magazine. Click here to view the full digital edition.
