This post was previously published in Federal Computer Week.
While it may not be surprising that U.S. citizens are deeply concerned about cybersecurity, that anxiety has grown dramatically in just the past few years. This year’s Unisys Security Index, a consumer survey that measures security concern globally, found that concern about hacking and malware in the U.S. increased by 55 percent since the last time the survey was performed in 2014.
As National Institute of Standards and Technology Fellow Ron Ross told Federal Computer Week, the survey results illustrate the need for federal government security professionals to allay some of these concerns with better-engineered IT systems that could serve as models for other organizations looking to build cybersecurity into systems from their inception.
I wholeheartedly agree with Ross but would add a next step: Government security professionals must be prepared to crisply communicate to senior most government leaders – agency and department heads – the steps they are taking to improve security and how they are actively collaborating with key stakeholders across all functions.
The recent executive order from the White House, “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure,” holds agency heads accountable for implementing the correct cyber risk management measures within their organizations. This directive will require those at the highest levels of government to focus their attention on cybersecurity.
To make this work, federal CIOs, CISOs and their teams must communicate their activities and strategies to agency and department heads – similar to the way security professionals in the private sector regularly report to their boards of directors and senior leadership.
These interactions in private industry are most effective when Information is presented in concise, easy to understand terms that provide a general overview to agency leaders while also giving them options to drill down for more specific data if they need to. A number of government agency security leaders very effectively use similar approaches that, of course, also take into consideration government requirements, directives and regulations.
Below, I have listed four key elements that typically is included as a content of senior leader briefings:
Obviously, different leaders will demand different levels of insight, so one size will not fit all. For that reason, presentations and reports also should include appendices providing more detail as needed, as well as a glossary of terms and examples of training modules and employee outreach.
By effectively communicating security strategy and activity to senior most agency leadership, federal security professionals also can lay the groundwork for better communication with members of the general public who are now experiencing a heightened awareness of cybersecurity issues.
By doing so, we also can improve public awareness of steps the government is taking to address these issues – as well as how private sector and citizens at large can contribute to those efforts.