The Public Sector CIO: Chief Cyber security Officer?
By David Whicker, CIO, Rockingham County
Cyber security settles at the forefront of the IT executives mind for the simple fact that we are the stewards of our organizations information and digital assets. Each day we read the next breaking news story covering the latest breach to which we begin to experience that unpleasant feeling that comes over one like a cobweb in an Indiana Jones movie. Why the feeling? If for no other reason, the CIO is keenly aware of the danger these threats pose as we consider the looming question of whether our organization and/or name will be the next to headline tomorrow’s news story.
"Cyber security is not just an IT issue but rather it is a business issue "
The CIO is expected to have all the answers and provide information security comparable to an iron dome or impenetrable force field. The cold hard truth is that no organization, private or public, has the capability or resources to fulfill that pipe dream. Though as dire as this may sound, all is not lost. In fact, there are many actions we can and should take towards greatly reducing even the possibility of a breach.
The real question is simply what are you doing about Cybersecurity? No matter the circle or event, when this question comes up around other IT executives the response almost always (99.999 percent of the time) goes something like this, “we could be doing more.” Go ahead and try it out just as a therapeutic exercise; take a moment to pause and state out loud: there is more I could be doing. So what is the more we could and should be doing?
Assess where you are
For starters, an honest assessment of exactly where your organization is with Cyber security, if anywhere at all, is the best place to start. Firewall appliances and antivirus software are great, but these are like pebbles in a pond compared to a real assessment. An assessment should at the very least answer some of the following key questions:
- Have key business processes been identified?
- Do we understand what our digital assets are and how they are used?
- Where are these assets stored and what safeguards are in place to protect them?
- What laws and regulations apply to our organization?
- Do we have an IT governance model in place?
As painfully eye opening as this exercise may prove to be, you can begin to use this information to identify areas of opportunity, vulnerability, and hopefully some low-hanging fruit.
Develop a Plan of Action
Once you have a baseline understanding of where you are and what you have, you can then begin to develop a methodical plan of action. Focusing on how far behind you might be or where you should be is not going to be the most effective use of your time. The great news is there is no need to reinvent the wheel as there are several free resources available to get you started and well on your way.
Organizational commitment can be a very steep hill to climb as most CISO’s would attest. There are several levels of commitment required in order for any Cybersecurity effort to succeed. The fact of the matter is that Cyber security is not just an IT issue but rather it is a business issue. Not convinced? What would happen today if the Tax Collection software went completely offline as a result of a breach? To make matters worse, there are 30 impatient citizens lined up to conduct a transaction that doesn’t exactly top the list of their favorite things to do on a Monday morning. Sure, technical support is on the way but it is a critical business operation that is preventing your organization from collecting revenue.
Improving your Organizations Cybersecurity Posture
I define Cybersecurity Posture as an organizations disposition in regards to the identification, management, and protection of electronic data. This includes taking the appropriate measures to safeguard data from unauthorized access and/or use of any kind. Leaving you with just another thought provoking article would prove to be a disservice to the audience, therefore my hope is that the guidance to follow will assist you in improving the Cybersecurity Posture of your organization.
Cybersecurity Assessment: If you need help getting started here there are plenty of resources available. The U.S. Department of Homeland Security has developed an excellent assortment of programs and resources specifically designed to guide organizations in Cybersecurity protection, awareness, education, assessments, incident management, and response efforts. In regards to assessments, there are free resources such as the Cyber Resilience Review (CRR) that packages tools and templates to determine where there are areas of opportunity to improve.
Cybersecurity Program: You must establish a Cybersecurity plan for your organization. Often times this can be extremely challenging for smaller government agencies that have a very small IT staff to no IT staff at all. Many local governments find themselves in this position but again there is an abundance of resources available. The Multi-State Information Sharing & Analysis Center (MS-ISAC) has been designated by DHS as the key resource for State, Local, Territorial, and Tribal governments (SLTT) in Cybersecurity. Membership is free and the benefits have filled the gaps for several government agencies who financially are not equipped to address cyber-threats on their own.
Cybersecurity Insurance: Consider cautiously investigating the benefits of Cyber insurance as investigations, notifications, and restitution such as consumer credit monitoring services can be very costly. Increasing efforts by both state and federal governments in regulating what is required once a breach occurs most likely will continue. To make matters worse, recent legislative efforts seek to broaden the definition of “personal data” which translates to more resources, funding, and preventative measures to remain compliant.
Cybersecurity Culture: In order to develop a Cyber aware culture you must first understand what the culture is in your respective organization. Nothing about Cybersecurity comes natural to most and therefore continuous communication, education, and commitment will be required. As part of your Cybersecurity program, ensure that you incorporate educational training such as participating in National Cyber Security Awareness Month (NCSAM), hold quarterly events, and send out regular communication in the form of tips or newsletters.
In closing, remember that Cybersecurity in and of itself has no final destination but most certainly is one of the most critical journeys that we must take in the information age we live in today.