Enterprise IT Context for the CTO

Bob Gourley

Subscribe to Bob Gourley: eMailAlertsEmail Alerts
Get Bob Gourley via: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn

Blog Feed Post

Questions for Government Leaders To Ask About Your Cybersecurity Posture

Cybersecurity is one of the most high-profile topics for organizations today and one of their biggest sources of risk. Numerous recent incidents such as the OPM Breach have heightened awareness of and sensitivity to this risk, and have made it even more critical that organizations assess their cyber readiness. Cognitio has helped some of the nation’s largest, most recognizable companies enhance their cybersecurity posture by ensuring executive leaders better understand the digital risks to their business interests. I have worked with Bob Gourley to come up with a set of questions that government leaders should be asking to mitigate cyber security risks. Bob is Co-Founder of Cognitio, Former CTO of the Defense Intelligence Agency, and the first Director of Intelligence (J2) at DoD’s cyber defense organization JTF-CND and author of the Cyber Threat.

Government leaders, project managers, systems engineers, and executives can accelerate enhancements to cyber security and mitigate digital risks by focusing on five key questions:

- What is the cyber threat to the mission?
- How do we respond to a data breach?
- Do we understand the difference between compliance and risk management?
- Do all our employees understand their role in cyber security?
- How (and with whom) are we leveraging external security organizations for independent advice/assistance?

What is the cyber threat to the mission?

Too frequently organizations have uneven understanding that there are serious cyber threats to the mission. The threats will vary from agency to agency, with some being from cyber fraud and crime and some being from espionage, insider threat, and disruption. But in every case, when leaders ask their teams for views on the threat the result can lead to a fuller understanding of the risks. By asking this question, leaders can quickly understand areas that will need prioritization of defense. As others realize this is a question of interest, the culture will be more accommodating to enhanced security and risk mitigation, and will by extension help mitigate both the risk of and impact of cyber breach.

How do we respond to a data breach?

The history of cyber incidents has made it very clear that at some point adversaries will get in. After you mitigate the last attack, at some point they will get in again. Leaders should ask about how breaches will be responded to in order to evaluate all aspects of incident response, including other questions like:
- Who is notified internally of breach?
- Who should be on the incident response team?
- What technical measure to put in place?
- What pre-planned crisis communications measures should be activated (including contact with other government organizations, law enforcement and even at times the public)?

Do we understand the difference between compliance and risk management?

This is a question meant to deliver insights into your organizational culture of security. There are things you must do because the law (FISMA, IRTMA, FITARA) or policy (OMB and agency directives), and your organization no doubt has mechanisms in place to ensure you are in compliance. Many of these may seem to be supportive of security, but in reality no compliance mechanism has ever stopped an intruder. Compliance does not equal security. There are security frameworks and models that can be put in place to help ensure governance over security processes, including the NIST Cybersecurity Framework, but these frameworks will fail if your agency culture is one that believes checking-the-box (compliance) is security. As you ask this question regarding compliance and risk management, listen for areas where you can help your team understand ways to improve their approach to cybersecurity.

Do all our employees and contractors understand their role in cybersecurity?

Employees and contractors who operate in your organization are the first line of defense against cyber threats, including the insidious insider threat. It is your employees who can best help spot malicious activities by insiders. . Employees who accidentally deviate from security policies can leave large openings in your defenses. Additionally, employees need to be aware that if they are tricked by malicious “phishing” email attacks they can introduce malicious code into your enterprise and cause very costly damage. Those leaders who ask questions about how well cybersecurity is understood, can underscore the importance of reaching 100% of the workforce with cyber threat awareness training and information on their role in cybersecurity.

How are we leveraging external security organizations for independent advice/assistance?

The nature of today’s cyber threats mean that no organization, no matter how large, can defend against all adversaries alone. By asking this question you will be signaling your expectation that your executive team will establish appropriate relationships with: law enforcement, with other elements of your own organization, with other agencies (and the US CERT), and with the right mix of external consultants. This question will also help you underscore with your team the importance of working with cybersecurity practitioners who can give you independent advice and assistance on your security culture, your processes for response to a breach, your crisis communications strategy, legal and insurance issues, and your overall cybersecurity framework.

Cybersecurity risk is clearly more than just an IT issue, and its mitigation requires more than just technology and tools. It is a business risk like any other, and as a result is a topic requiring continued leadership. The questions you ask of others will help steer your organization in a way that mitigates risk and enhances security.


Read the original blog entry...

More Stories By Bob Gourley

Bob Gourley writes on enterprise IT. He is a founder of Crucial Point and publisher of CTOvision.com