Elements for Successfully Reporting Cybersecurity Strategies to Senior Leadership
This post was previously published in Federal Computer Week.
While it may not be surprising that U.S. citizens are deeply concerned about cybersecurity, that anxiety has grown dramatically in just the past few years. This year’s Unisys Security Index, a consumer survey that measures security concern globally, found that concern about hacking and malware in the U.S. increased by 55 percent since the last time the survey was performed in 2014.
As National Institute of Standards and Technology Fellow Ron Ross told Federal Computer Week, the survey results illustrate the need for federal government security professionals to allay some of these concerns with better-engineered IT systems that could serve as models for other organizations looking to build cybersecurity into systems from their inception.
I wholeheartedly agree with Ross but would add a next step: Government security professionals must be prepared to crisply communicate to senior most government leaders – agency and department heads – the steps they are taking to improve security and how they are actively collaborating with key stakeholders across all functions.
The recent executive order from the White House, “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure,” holds agency heads accountable for implementing the correct cyber risk management measures within their organizations. This directive will require those at the highest levels of government to focus their attention on cybersecurity.
To make this work, federal CIOs, CISOs and their teams must communicate their activities and strategies to agency and department heads – similar to the way security professionals in the private sector regularly report to their boards of directors and senior leadership.
These interactions in private industry are most effective when Information is presented in concise, easy to understand terms that provide a general overview to agency leaders while also giving them options to drill down for more specific data if they need to. A number of government agency security leaders very effectively use similar approaches that, of course, also take into consideration government requirements, directives and regulations.
Below, I have listed four key elements that typically is included as a content of senior leader briefings:
- Security strategy summary. This should include a summarized version of strategy along with a checklist of all completed actions. A separate column should list in-process and planned future deployments related to solution rollouts and compliance efforts – with expected completion dates.
- Dashboard of key metrics. A dashboard view of the most important security metrics is an effective way to communicate the current state and performance view of security. This information may be broken into segments covering metrics related to employees and related to end user security, network security, server security, application security, etc. These metrics may also include updates on measures taken to define and address vulnerabilities.
- Top 5 ongoing and future risks. This gives leadership a snapshot of areas that require focus and attention via a prioritized list. It may include items such as threats (from outside and inside), data breaches and data classification issues. It should also communicate the organization’s risk assessment matrix and processes. It also may be helpful to include color-coded buttons (green, yellow, red) denoting the status of efforts to mitigate each risk.
- Attack threats and controls. Align specific threats with steps taken to alleviate them. For example, note the processes and tools being used to address phishing attacks, data exfiltration, brute force attacks etc. As with key security metrics, this can be classified by specific segments of agency systems.
Obviously, different leaders will demand different levels of insight, so one size will not fit all. For that reason, presentations and reports also should include appendices providing more detail as needed, as well as a glossary of terms and examples of training modules and employee outreach.
By effectively communicating security strategy and activity to senior most agency leadership, federal security professionals also can lay the groundwork for better communication with members of the general public who are now experiencing a heightened awareness of cybersecurity issues.
By doing so, we also can improve public awareness of steps the government is taking to address these issues – as well as how private sector and citizens at large can contribute to those efforts.