How to report cybersecurity strategies to senior leaders
Although it might not be surprising that Americans are deeply concerned about cybersecurity, that anxiety has grown dramatically in the past few years. This year's Unisys Security Index, a global consumer survey, found that concern about hacking and malware in the U.S. increased by 55 percent since the survey was last performed in 2014.
As Ron Ross, a fellow at the National Institute of Standards and Technology, told FCW in June, the survey results illustrate the need for federal security professionals to allay some of those concerns with better-engineered IT systems that could serve as models for other organizations looking to build cybersecurity into systems from their inception.
I wholeheartedly agree with Ross but would add a next step: Government security professionals must be prepared to crisply communicate to senior-most government leaders -- agency and department heads -- the steps they are taking to improve security and how they are actively collaborating with key stakeholders across all functions.
The recent executive order from the White House, "Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure," holds agency heads accountable for implementing the correct cyber risk management measures within their organizations. The directive requires those at the highest levels of government to focus their attention on cybersecurity.
To succeed in this endeavor, federal CIOs, chief information security officers and their teams must communicate their activities and strategies to agency and department heads -- similar to the way security professionals in the private sector regularly report to their boards of directors and senior leaders.
Those interactions in industry are most effective when information is presented in concise, easy-to-understand terms that provide a general overview to agency leaders while also giving them options to drill down for more specific data if they need to. A number of agency security leaders very effectively use similar approaches that, of course, also take into consideration government requirements, directives and regulations.
Four key elements typically are included in such senior leader briefings:
- Security strategy summary. This should include a summarized version of strategy along with a checklist of all completed actions. A separate column should list in-process and planned future deployments related to solution rollouts and compliance efforts -- each with an expected completion date.
- Dashboard of key metrics. A dashboard view of the most important security metrics is an effective way to communicate the current state and performance view of security. The information could be broken into segments covering metrics related to employees, end-user security, network security, server security and application security, for example. Metrics might also include updates on measures taken to define and address vulnerabilities.
- Top five ongoing and future risks. A prioritized list would give leaders a snapshot of areas that require focus and attention. It might include items such as internal and external threats, data breaches and data classification issues and should also communicate the organization’s risk assessment matrix and processes. It might be helpful to include color-coded buttons (green, yellow, red) denoting the status of efforts to mitigate each risk.
- Attack threats and controls. Agencies should align specific threats with the steps taken to alleviate them. For example, they could note the processes and tools being used to address phishing attacks, data exfiltration and brute force attacks. As with key security metrics, they could be classified by specific segments of agency systems.
Obviously, different leaders will demand different levels of insight, so one size will not fit all. For that reason, presentations and reports should include appendices that provide more detail, as well as a glossary of terms and examples of training modules and employee outreach.
By effectively communicating security strategy and activity to senior agency leaders, federal security professionals can also lay the groundwork for better communication with members of the general public who are now experiencing a heightened awareness of cybersecurity issues.
By doing so, we will improve public awareness of the steps the government is taking to address those issues and how the private sector and the public can contribute to those efforts.
Venkatapathi "PV" Puvvada was elected a senior vice president by the Board of Directors in February 2015. In addition, PV was named president of Unisys Federal in July 2014.
As president of Unisys Federal, Venkatapathi is responsible for driving the company's growth in the federal marketplace by providing innovative solutions in areas such as cloud computing, big data, unified communications, mobile applications and security.
Previously, Venkatapathi served as group vice president for the company's federal civilian agency business since 2010. From 2005 to 2010, he was managing partner and chief technology officer for Unisys Federal, overseeing the company's federal solutions portfolio and service delivery excellence. Venkatapathi joined Unisys in 1992.
A vocal advocate of using technology to help federal agencies serve U.S. citizens, Venkatapathi has served in leadership positions at several technology-related industry groups and has won numerous awards for his contributions. He currently serves on the board of directors of the Professional Services Council, a group that advocates on behalf of the federal professional and technical services industry. In 2007-2008, he served as chair of the Industry Advisory Council, a public-private partnership organization dedicated to advancing government through the application of information technology.
Venkatapathi's contributions have been recognized through numerous industry awards. He is a four-time winner of the Federal Computer Week Federal 100 Award, in 2015, 2008, 2005 and 2003. In 2013, media company Executive Mosaic inducted Venkatapathi into the Washington 100, a group of industry leaders "who drive growth at the intersection of the public and private sectors." In 2010, he was named Government Contractor CTO Innovator of the Year in the large business category by the Northern Virginia Technology Council and Washington Technology magazine.
Venkatapathi holds a master's in Engineering from the Indian Institute of Technology.