Elements for Successfully Reporting Cybersecurity Strategies to Senior Leadership

Venkatapathi Puvvada August 7th, 2017Security

This post was previously published in Federal Computer Week.

While it may not be surprising that U.S. citizens are deeply concerned about cybersecurity, that anxiety has grown dramatically in just the past few years. This year’s Unisys Security Index, a consumer survey that measures security concern globally, found that concern about hacking and malware in the U.S. increased by 55 percent since the last time the survey was performed in 2014.

As National Institute of Standards and Technology Fellow Ron Ross told Federal Computer Week, the survey results illustrate the need for federal government security professionals to allay some of these concerns with better-engineered IT systems that could serve as models for other organizations looking to build cybersecurity into systems from their inception.

I wholeheartedly agree with Ross but would add a next step: Government security professionals must be prepared to crisply communicate to senior most government leaders – agency and department heads – the steps they are taking to improve security and how they are actively collaborating with key stakeholders across all functions.

The recent executive order from the White House, “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure,” holds agency heads accountable for implementing the correct cyber risk management measures within their organizations. This directive will require those at the highest levels of government to focus their attention on cybersecurity.

To make this work, federal CIOs, CISOs and their teams must communicate their activities and strategies to agency and department heads – similar to the way security professionals in the private sector regularly report to their boards of directors and senior leadership.

These interactions in private industry are most effective when Information is presented in concise, easy to understand terms that provide a general overview to agency leaders while also giving them options to drill down for more specific data if they need to. A number of government agency security leaders very effectively use similar approaches that, of course, also take into consideration government requirements, directives and regulations.

Below, I have listed four key elements that typically is included as a content of senior leader briefings:

Security strategy summary. This should include a summarized version of strategy along with a checklist of all completed actions. A separate column should list in-process and planned future deployments related to solution rollouts and compliance efforts – with expected completion dates.
Dashboard of key metrics. A dashboard view of the most important security metrics is an effective way to communicate the current state and performance view of security. This information may be broken into segments covering metrics related to employees and related to end user security, network security, server security, application security, etc. These metrics may also include updates on measures taken to define and address vulnerabilities.
Top 5 ongoing and future risks. This gives leadership a snapshot of areas that require focus and attention via a prioritized list. It may include items such as threats (from outside and inside), data breaches and data classification issues. It should also communicate the organization’s risk assessment matrix and processes. It also may be helpful to include color-coded buttons (green, yellow, red) denoting the status of efforts to mitigate each risk.
Attack threats and controls. Align specific threats with steps taken to alleviate them. For example, note the processes and tools being used to address phishing attacks, data exfiltration, brute force attacks etc. As with key security metrics, this can be classified by specific segments of agency systems.

Obviously, different leaders will demand different levels of insight, so one size will not fit all. For that reason, presentations and reports also should include appendices providing more detail as needed, as well as a glossary of terms and examples of training modules and employee outreach.

By effectively communicating security strategy and activity to senior most agency leadership, federal security professionals also can lay the groundwork for better communication with members of the general public who are now experiencing a heightened awareness of cybersecurity issues.

By doing so, we also can improve public awareness of steps the government is taking to address these issues – as well as how private sector and citizens at large can contribute to those efforts.

Tags- CyberSecurity U.S. federal Unisys Security Index

Featured Bloggers

Peter Altabef

Peter A. Altabef has served as chairman of the board of Unisys Corporation since April 2018, and as CEO of Unisys since January 2015. He also served as president of the company from September 2015 to March 2020.

Vishal Gupta

Vishal Gupta was elected a senior vice president by the Board of Directors in July 2018. He is responsible for driving Unisys’ Products and Platforms business through an integrated digital strategy for the company’s solutions, including products and services.

Eric Hutto

Eric Hutto was elected president and chief operating officer effective March 2020. From September 2015 to March 2020, he served as senior vice president and president, Enterprise Solutions. Eric joined the company in April 2015 and previously served as vice president/general manager, U.S. & Canada, Unisys Enterprise Solutions.

Tom Patterson

Tom Patterson, Vice President and Chief Trust Officer, serves as a strong trust advocate on behalf of our clients and the industries and governments we serve.

Ann Sung Ruckstuhl

Ann Sung Ruckstuhl is senior vice president and Chief Marketing Officer at Unisys. She joined the company in December 2016 and is responsible for all of Unisys’ marketing functions, including corporate, product, solution, industry, services, partner and field marketing, as well as communications.