In February of 2016, President Obama released his Cybersecurity National Action Plan (CNAP) and with it announced the creation of a new federal chief information security officer (CISO). Though the job has not yet been filled (job post is here), I'd urge the new federal CISO to heed this advice from the private sector on the importance of the human element in cybersecurity.
Cybersecurity is far too important to let stand today's model of siloed management and oversight among the various branches and agencies within government. The country needs a champion for the role of information security. Not just in the public sector, but across all walks of American life, from business to school to home. The federal CISO has the opportunity to be that champion.
The federal CISO faces a busy first few months, to be sure. He or she will need to first understand and win the trust of the existing CISOs from the various agencies. This will be no small task, and it will be deeply colored by the contentious political environment. He or she will also face the immediate task of directing the largest budget ever dedicated to cybersecurity, targeted at more than $19 billion in President Obama's fiscal year 2017 budget.
Luckily, there is broad agreement about where to spend a large chunk of this money: updating what everyone agrees is a disgracefully outdated federal IT infrastructure. He or she will likely bring great technical acumen to this job, and will need that acumen when shopping for solutions in a fast-growing and incredibly innovative cybersecurity market. One hopes that the federal CISO receives advice and counsel from the CISOs of the nation's largest companies, who have long had the resources to make meaningful investments in building secure IT environments.
But even as this individual faces the challenges presented by politics, technology, and money, I urge him or her to look to the great opportunity to change the culture of cybersecurity.
As we've heard again and again, all the policies and all the technical controls in the world will do our country no good if we have not enlisted employees as avid participants in the sustained fight to protect information. Even the most advanced cybersecurity fortress cannot protect against an employee accidentally leaving the gates open by clicking on a link in a phishing email.
Building a security-aware culture is no small feat, but possible. How? The new federal CISO can start by following some of the best practices of America's most risk-aware companies. Here are some ideas:
1. Start at the Top…: For better or for worse, people look to leaders to set the tone for their organization. That's why the federal CISO, and every executive at every private and public sector organization must understand and publicly communicate about cybersecurity risks. We have seen cybersecurity risk become a board- and executive-level concern in the last several years, but too few people at this level understand or speak personally and directly about the impact this risk has on their lives and their organizations. We need to do a better job of educating leaders about the nature of risks, and get them to incorporate this understanding into the regular communications to their employees and citizens.
Recommendation: Educate all executive-level personnel in cybersecurity best practices and ensure they're committed to giving cybersecurity a regular place in both communications to their employees and the public.
…But Make It for Everybody: Employees may look to leaders to set the tone, but they will not make substantive changes in behavior unless they can directly connect cybersecurity risks to their work and personal lives. That's why it's so critical to reach people where they are:
- Managers and executives need to understand that their heightened access to information makes them targets
- Those handling financial information need to practice the skills involved in securing credit card data and all sources of financial data, just as nurses and healthcare professionals need to protect confidential health information
- IT staff need special training, not just on their privileged access to data but also on the role they play as ambassadors in understanding and using information technology
But we shouldn't stop with work roles. People need to know cybersecurity also applies to their lives outside of work. Look for ways to connect cybersecurity to employees' personal lives with content that is relevant to people like:
- School-aged children, who need to understand what information they should and shouldn't share online and via social networks; and
- Parents, who need to develop some real skepticism about email pleas from long-lost relatives.
No matter our age or our job, we all face cybersecurity risks. But these risks take different forms, and what we need to know and do to protect ourselves differs across our roles. The way we educate must reflect those differences, or it will be irrelevant and ultimately ineffective.
Recommendation: Tailor all cybersecurity-related training and communication to roles (whether they be job roles or phases in life) to ensure the information is relevant and actionable.
Make It Engaging: If we ever expect cybersecurity knowledge to become a foundational element in our culture, we need to take our cues from advertising, communications, and PR. (And not, I'm sorry to say, from conventional training practices). Look what the Smokey the Bear did for preventing wildfires or what “Where's the Beef?” did for hamburgers.
Simple slogans or interactive experiences, clearly and repeatedly delivered in fun and relevant ways, do far more to build awareness than the long, dry training courses that are so frequently hailed as the solution when it comes to cybersecurity. Even the now-common simulated phishing attacks can be made fun and engaging (and not punitive) if they are made part of an ongoing quest to see which employees can spot the phishing lures. Is there a risk in using humor or games or shock tactics to communicate about cybersecurity? Sure. Some people won't get it, or may be put off by a particular approach. But the risk of boring people is much greater. If people are bored, they'll never learn.
Recommendation: Engage in a comprehensive campaign to get people talking about cybersecurity with features like games, phishing simulation, posters, and videos. The more varied ways we can present our message, the better.
Use Technology for Good (or, Don't Be Big Brother): The technical capacity in today's cybersecurity marketplace is staggering. Within just a few years, artificial intelligence will likely be able to identify, predict, and prevent nearly all nefarious behavior within our IT infrastructure. With these advances, though, we face the risk of so over-controlling and over-restricting behavior that we will throttle individual initiative and innovation, not to mention alienating the very employees and citizens we seek to protect.
Already today, some organizations so restrict employee behavior within the IT environment that people feel like they are stranded on a desert island. The employees of such organizations resent such restrictions and seek ways around them, leading to the exact opposite of what these tools are trying to achieve: increased chances of risking employee behavior. Restriction and control are not the answer. We have an opportunity to use technical wizardry for good, however, if we pursue a people-centric security strategy that recognizes that technology is there to facilitate human innovation and then deploy technical controls that don't unnecessarily restrict behavior. Examples of the latter are behavioral analytics tools that identify risky behavior and provide relevant education at the time of the action. Such tools free employees to act for the good of the organization while also identifying and restricting persistent dangerous behavior.
Recommendation: Deploy technical solutions that enable innovation while protecting information.
Share: I've presented at and attended meetings of the Federal Information Systems Security Educators' Association (FISSEA), a group of information systems security professionals in the federal government dedicated to educating employees about cybersecurity. They are some of the smartest people I've met in this field, easily as capable as their peers in the private sector. And yet because of budgetary constraints and lack of available technology, they must beg, borrow, and steal to create meaningful and relevant awareness programs. Again and again, I heard these professionals lament their inability to make progress due to these constraints, which reflected the lack of emphasis on cybersecurity from the top down. It's time to support a risk-aware culture across the federal government with a significant investment in education and communication.
Recommendation: Invest in the creation of a federal level cybersecurity curriculum that includes multi-faceted and modular training, games, videos, posters, and more, and then make that curriculum available to all federal agencies. Also, fund the capacity to customize the content for the individual organization.
My advice ultimately comes down to this: all the technical investments in the world won't solve our cybersecurity problem unless we get the attention of all employees and ultimately all citizens, and then provide them with positive models for protecting information. It's being done already at companies throughout the nation. Now it's time for the new federal CISO to lead the effort at a national level.
Tom Pendergast is the chief architect of MediaPro's Adaptive Awareness Framework™, a vision of how to analyze, plan, train, and reinforce to build a comprehensive awareness program, with the goal of building a risk-aware culture. Tom has a Ph.D. in American Studies from Purdue University and is the author or editor of 26 books and reference collections. Tom has devoted his entire career to content and curriculum design, first in print, as the founder of Full Circle Editorial, then in learning solutions with MediaPro.