Security leaders are no longer simply expected to design and implement a security strategy for their organization. As a key member of the business—and one that often sits in the C-suite—CISOs and security managers must demonstrate business acumen. In fact, Gartner estimates by 2020, 100 percent of large enterprise CISOs will be asked to report to their board of directors on cybersecurity and technology risk at least annually.
Presenting to the board, demonstrating ROI, and designing security as a business enabler are all in the job description for CISOs today. But when it comes to communicating with the board and executive management, CISOs in different verticals will have disparate challenges to address.
In a series of posts about CISO communication, we look at these varying issues and concerns across verticals. This month, we examine what security leaders in government positions need to be mindful of when working to get buy-in from higher levels.
For perspective, I tapped Dan Lohrmann. Lohrmann is a security veteran who led Michigan government’s cybersecurity and technology infrastructure teams from May 2002 to August 2014. Now, as CSO and Chief Strategist for Security Mentor, he still writes and comments regularly on the requirements for government cybersecurity officials.
What unique challenges do CISOs working in government have that differ from their peers in the private sector?
There are many, but I’ll mention three.
First, in government, the people closest to the top executive are almost always political friends/allies of the governor or mayor or other top public sector leader. The majority of these most trusted people were “on the bus” when they ran for office. This means that many top executives literally campaigned with them through primaries and long days of political rallies, gave financially to their campaigns and more. These are the people who are in the “inner circle” and who are listened to the most by government leaders. They have unique access and long-term relationships which are very hard to gain if you were not “on the bus.” There is nothing equivalent in the private sector, because there are not open public elections.
Second, while building trust takes time and skill in both the public and private sectors, the timelines for projects are often different. In government, there are set cycles which tend to follow election calendars, which often run for four years, but can range from two up to six. Investments and priorities with the board—often the cabinet or committee or council—also follow unique budget cycles that include getting legislative and perhaps other support. The timing of requests is paramount. Learn the lingo and metrics of these groups. How do they measure success?
Third, government rules, procedures, processes, approvals, oversight, and audits are often very complex and unique. It can take years to fully understand all the fiefdoms and side deals that occur in government silos. In the private sector, financial or staff support from the top leaders is generally acted upon swiftly. But, in contrast, I have seen government leaders make clear decisions, only to see the “government bureaucracy” kill projects through a long list of internal maneuvers and delaying tactics.
What do government CISOs need to keep in mind when they communicate with either the board or other governing body in their organization?
Know where you stand, not just on the org chart, but in the pecking order of “trust circles” in government. If you are not in the inner circle—and you probably are not if you were not on the bus—ask who is? Also, strive to at least be in the middle circle of career professionals who are trusted to “get things done” with a track record of career success. Build trusted relationships with those on the inner circle (or at least in the middle circle), where possible. Do lunch with the governments leaders. Learn the top governments leaders' priorities and campaign promises. Get invited to the strategy sessions and priority setting meetings that impact technology and security. Make your case in different ways (from elevator pitches to formal cybersecurity presentations).
Second, gain a good understanding of how things get done in government. Read case studies of successful projects. Learn budget timelines for official (and unofficial) proposals. Always have a list of current needs when “fallout money” becomes available. Side note: I was often told “no money for that project” for months or even years, only to have a budget person come up to me at the end of the fiscal year saying I need the spending details now. Lesson: Be ready with your hot needs list.
Third, get to know the business leaders in the agencies who may be more sympathetic to your cause, even if/when the top elected leaders are not. Find a business champion in your organization who is backing cyber change in powerful ways and get behind that snowplow. Surprisingly, this may not be an IT manager. For example, I’ve seen security champions in the transportation and treasury departments. The senior execs in treasury were in charge of credit cards and needed payment card industry compliance. They pushed for extensive improvements in our network controls by demonstrating the penalties of noncompliance.
Fourth, do regular cyber roadshows at least annually to business areas throughout government. Build a regular cadence for updates on what’s happening, and don’t assume this is a one-time deal. Go over the good, bad, and ugly and action items in security. Talk about what is working and where improvements are needed to be done with metrics.
Fifth, form a cyber committee (or better, utilize an existing technology sub-committee) to get executive buy-in from middle management in business areas. Get security ambassadors to help make the case through front-line non-IT leaders who are respected.
What tips for effective communication would you offer CISOs in government agencies?
Two tips and a word of caution.
I often hear CISOs and other government leaders say there is no money, or hiring, and that their projects never get funded. My response is to “get on the boats leaving the dock.” That is, what projects are getting funding? Are you, or your top deputies, in those important meetings? For example, a new tax database is a top priority, but you are not invited to participate. Why? Make sure security is built into all strategic projects. Build trust through getting involved in top priorities—or, if you can’t beat them, join them.
Another tip is to strategically partner with others. This means building bridges through grants, other government groups like the MS-ISAC, police, FBI, DHS, etc. Many of these groups usually have the reputations and a level of trust associated with them, even when new leaders don’t. If you study what has worked and not worked in the past, you can benefit greatly from these relationships. This can also include relationships with the private sector.
One final word of caution: When a new top leader is elected, the inner circle will inevitably change. Staying effective during this transition, especially if political parties change, is a huge challenge. Nevertheless, cybersecurity is one of the few high-priority topics which tends to be nonpartisan. Stay focused on protecting data and critical infrastructure, and you can survive, even during very difficult administration changes.