How to report cybersecurity strategies to senior leaders
Although it might not be surprising that Americans are deeply concerned about cybersecurity, that anxiety has grown dramatically in the past few years. This year's Unisys Security Index, a global consumer survey, found that concern about hacking and malware in the U.S. increased by 55 percent since the survey was last performed in 2014.
As Ron Ross, a fellow at the National Institute of Standards and Technology, told FCW in June, the survey results illustrate the need for federal security professionals to allay some of those concerns with better-engineered IT systems that could serve as models for other organizations looking to build cybersecurity into systems from their inception.
I wholeheartedly agree with Ross but would add a next step: Government security professionals must be prepared to crisply communicate to senior-most government leaders -- agency and department heads -- the steps they are taking to improve security and how they are actively collaborating with key stakeholders across all functions.
The recent executive order from the White House, "Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure," holds agency heads accountable for implementing the correct cyber risk management measures within their organizations. The directive requires those at the highest levels of government to focus their attention on cybersecurity.
To succeed in this endeavor, federal CIOs, chief information security officers and their teams must communicate their activities and strategies to agency and department heads -- similar to the way security professionals in the private sector regularly report to their boards of directors and senior leaders.
Those interactions in industry are most effective when information is presented in concise, easy-to-understand terms that provide a general overview to agency leaders while also giving them options to drill down for more specific data if they need to. A number of agency security leaders very effectively use similar approaches that, of course, also take into consideration government requirements, directives and regulations.
Four key elements typically are included in such senior leader briefings:
- Security strategy summary. This should include a summarized version of strategy along with a checklist of all completed actions. A separate column should list in-process and planned future deployments related to solution rollouts and compliance efforts -- each with an expected completion date.
- Dashboard of key metrics. A dashboard view of the most important security metrics is an effective way to communicate the current state and performance view of security. The information could be broken into segments covering metrics related to employees, end-user security, network security, server security and application security, for example. Metrics might also include updates on measures taken to define and address vulnerabilities.
- Top five ongoing and future risks. A prioritized list would give leaders a snapshot of areas that require focus and attention. It might include items such as internal and external threats, data breaches and data classification issues and should also communicate the organization’s risk assessment matrix and processes. It might be helpful to include color-coded buttons (green, yellow, red) denoting the status of efforts to mitigate each risk.
- Attack threats and controls. Agencies should align specific threats with the steps taken to alleviate them. For example, they could note the processes and tools being used to address phishing attacks, data exfiltration and brute force attacks. As with key security metrics, they could be classified by specific segments of agency systems.
Obviously, different leaders will demand different levels of insight, so one size will not fit all. For that reason, presentations and reports should include appendices that provide more detail, as well as a glossary of terms and examples of training modules and employee outreach.
By effectively communicating security strategy and activity to senior agency leaders, federal security professionals can also lay the groundwork for better communication with members of the general public who are now experiencing a heightened awareness of cybersecurity issues.
By doing so, we will improve public awareness of the steps the government is taking to address those issues and how the private sector and the public can contribute to those efforts.