Cyber Security should no longer be the hindrance to business in IT. Along that line, decision and policy makers need to also be cognizant that if decisions are being made, Cyber Security can no longer be the excuse for not securing solutions and data. If risk is being accepted, leadership needs to truly understand the risks they are accepting. If these risks are unacceptable, leadership has to have the courage to actually say “no”. Have options for whomever you have to say no to, so they can possibly keep their project moving forward or so they can ensure investments in protecting legacy solutions are reasonable and worth the costs versus replacing them or versus a breach.
"Try getting some of your vendors to provide some speakers to come pro bono of course. Vendors love this opportunity to give back to their communities"
Government CIOs/CTOs should, no MUST read and share the Committee on Oversight and Government Reform report from September 2016 on the OPM Data Breach. I like to call it: How not be a CIO in the government. Cyber Security is not just the CIO/CTO/CISOs job, it is the business leaders as well in every government. Make cyber a part of leadership’s evaluation. If you are in the position of responsibility over the security of your systems and you have not briefed or notified anyone of the risks, you are accountable. If you are notifying leadership of risks and what needs to be done to mitigate the risks, make sure that notification is in writing. If you are in the position of affecting the mitigation of risks and do nothing, your career will be shortened. Risk mitigation and change in culture go hand in hand.
To make this work CIO/CTO/CISOs need to work together to get into the “board rooms” and explain the risks to those most senior level leaders who can affect the funding for replacing or upgrading or investing in newer, next generation cyber security solutions. Most senior leaders will get what the problems and solutions are and will make decisions, only if they are informed. Keeping them in the dark will result in failure. Use October to get your leadership involved. It is National Cyber Security Awareness month. Ask them to make proclamations, register and walk them through cyber events and training. Cyber Security Awareness is 50 percent+ of a CISOs job. Take it and run with it. Share the real word experiences that have happed. The more aware they are, the better decisions they can make. Awareness is the best way to affect culture change.
To reach employees CISOs should think outside the box. If you have a solid awareness program at the office and you feel you have reach the pinnacle of getting information and awareness out to your employees, change it up this October. Try having a mini conference. This could be a single office, an agency, a state and local entity. Try getting some of your vendors to provide some speakers to come pro bono of course. Vendors love this opportunity to give back to their communities. Your topics should cover security for the employees from a personal side. Protecting themselves online while shopping or how to monitor their children on the multiple Internet of Things they all have access to. Have the vendors who have consumer products set up tables so they can talk to employees during session breaks, maybe give some stress balls, pens etc. Employees love those things. Don’t let the vendors do sales presentations during sessions. Check with local law enforcement agencies to see if they have an outreach program for children online. You want a solid return on investment for awareness: get them hearing about their personal security. You will see employees become much more conscious about what they do when at work. Give challenge coins to employees who report real incidents. Make a member of your Cyber Team.
Do not forget to get the leadership involved as well. Have them sponsor the day by allowing employees to opt to attend with no charge to their leave. Briefings and emails and scrolling security warnings are constant reminder about the world we live in at the office. Have you leadership champion awareness efforts by kicking of a day of personal cyber security awareness, your employees will actually thank you for it.