Keeping agencies safe requires compromise between cybersecurity teams charged with envisioning threats and departments that are more likely to be focused on the desirable functionalities digital solutions can offer. The CISO, therefore, needs to be able to fine-tune their security approaches to a state's particular risk levels to ensure safety without introducing unnecessary frictions. This balancing act requires cybersecurity teams to be able to explain to other departments why the security measures they settled on are necessary.
Establishing trusted, communicative relationships with other departments can be essential, said Keith Tresh when Government Technology caught up with him about his first year as Idaho’s CISO.
“You have to be able and willing to work with the business side to manage risk,” Tresh said. “That’s what security is — managing risk.“
FROM THE GOLDEN STATE TO THE GEM STATE
Tresh came to Idaho from California, where he had held a variety of cybersecurity roles, including CISO of the state and, later, of Orange County. Each jurisdictional switch brought with it major changes in the types, volume and likelihood of cyber risks.
“The approach and the focus are completely different” across those agencies, Tresh explained. Further, when switching from California to Idaho, “it’s like when you’re a small business versus a medium business.”
California’s more vocal political climate and tendency to make news for stances on controversial topics results in the state being more frequently targeted by ideologically motivated hackers, and its massive economy often tempts cyber criminals looking for lucrative payouts. Meanwhile, Idaho’s quieter political scene and different economic focus make it a somewhat smaller target, Tresh said.
SPEAKING THE BUSINESS SIDE'S LANGUAGE
Smaller targets are still targets, however. The sense of lower risk can be a mixed blessing because it can trick agencies into assuming how safe they are.
“It’s a dual-edged sword,” Tresh said. “You can be a little more creative, but if people want to focus on the fact that we’re not as big a target, there are some who may say, 'Well, hey, we’re not as big a target, why do we have to do that, then?’”
CISOs need to apply enough preventative safeguards to protect systems and data without holding back the operations of other agencies. That kind of calculation can impact decisions around the kinds of authentication steps and other protective measures state employees should abide by when remotely accessing government systems, for example. The right balance will be different for each state, based on its unique circumstances.
CISOs must be ready to inform agencies — especially those that have experienced the damage of cyber attacks firsthand — about why they’re being asked to go through all the recommended layers of security, he explained. His own prior experience in CIO roles, alongside cybersecurity ones, has given him perspective on this dynamic.
“I’m trying my best to create trusting relationships with people and make them understand [that] all I’m here to do is to try to help them make things easier, not try to make their lives miserable,” Tresh said.
The best cybersecurity efforts preempt and thwart attacks before damage is done, which makes it hard for agencies to assess how much potential loss they avoided by adopting security measures. This reality makes it even more essential for CISOs to learn to speak other agencies’ languages — to underscore why security policies are beneficial in terms that will resonate, Tresh said.
“We need to be evolving into a place where we’re able to put a bow around why security is important, not just because we say so and because of hacks, but because of how it affects the bottom line … return on investment, trust and your reputation,” he said.
In short, CISOs need to learn “how to be better sales people.”
After all, even agencies that avoid falling victim to breaches can't count on being as lucky in the future given that cyber criminals are always honing their attacks. The recent Microsoft Exchange and Solar Winds hacks demonstrate that risks can be anywhere, even within some of the largest companies and malware patches. States must take a zero-trust approach, Tresh said, because hard-to-see attacks are likely to get worse.
“Once the bad guys and gals see something works, they repackage it and use it elsewhere,” he said. “This year, we’re probably going to see more of those.”
