An open letter to the new Federal CISO

In February of 2016, President Obama released his Cybersecurity National Action Plan (CNAP) and with it announced the creation of a new federal Chief Information Security Officer (CISO). Though the job has not yet been filled (job post is here), I thought the new CISO might appreciate some advice from private industry on the importance of the human element to cybersecurity once he or she settles in.

To the new federal CISO:

Congratulations on your recent appointment as our nation’s first federal CISO. Your appointment is long overdue, and I don’t just mean that it sure has taken a long time to find the right person for the job!

No, it’s long overdue because cybersecurity is far too important to let stand today’s model of siloed management and oversight among the various branches and agencies within government. The country needs a champion for the role of information security. Not just in the public sector, but across all walks of American life, from business to school to home. You have the opportunity to be that champion.

Your first months on the job will be busy, to be sure. You must first understand and win the trust of the existing CISOs from the various agencies. This will be no small task, and it will be deeply colored by the contentious political environment. You will also face the immediate task of directing the largest budget ever dedicated to cybersecurity, targeted at more than $19 billion in President Obama’s fiscal year 2017 budget.

Luckily, there is broad agreement about where to spend a large chunk of this money: updating what everyone agrees is a disgracefully outdated federal IT infrastructure. You likely bring great technical acumen to this job, and you’ll need it as you shop for solutions in a fast-growing and incredibly innovative cybersecurity market. I hope that you’ll receive advice and counsel from the CISOs of the nation’s largest companies, who have long had the resources to make meaningful investments in building secure IT environments.

But even as you face the challenges presented by politics, technology, and money, I urge you to look to the great opportunity you have to change the culture of cybersecurity.

As I’m sure you’ve heard again and again, all the policies and all the technical controls in the world will do you no good if you have not enlisted your employees as avid participants in the sustained fight to protect information. Even the most advanced cybersecurity fortress cannot protect against an employee accidentally leaving the gates open by clicking on a link in a phishy email.

Building a security-aware culture is no small feat, but it’s possible. How? You can start by following some of the best practices of America’s most risk-aware companies. Here are some ideas:

1. Start at the top

For better or worse, people look to leaders to set the tone for their organization. That’s why you, the federal CISO, and every executive at every private and public sector organization must understand and publicly communicate about cybersecurity risks.

We have seen cybersecurity risk become a board- and executive-level concern in the last several years, but too few people at this level understand or speak personally and directly about the impact this risk has on their lives and their organizations. We need to do a better job of educating leaders about the nature of risks, and get them to incorporate this understanding into the regular communications to their employees and citizens.

Recommendation: Educate all executive-level personnel in cybersecurity best practices and ensure they’re committed to giving cybersecurity a regular place in communications both to their employees and to the public.

2. But make it for everybody

Employees may look to leaders to set the tone, but they will not make substantive changes in behavior unless they can directly connect cybersecurity risks to their work and personal lives. That’s why it’s so critical that you reach people where they are:

• Managers and executives need to understand that their heightened access to information makes them targets
• Those handling financial information need to practice the skills involved in securing credit card data and all sources of financial data, just as nurses and healthcare professionals need to protect confidential health information
• IT staff need special training, not just on their privileged access to data but also on the role they play as ambassadors in understanding and using information technology

But you shouldn’t stop with work roles. People need to know cybersecurity also applies to their lives outside of work. Look for ways to connect cybersecurity to their personal lives with content that is relevant to people like:

• School-aged children, who need to understand what information they should and shouldn’t share online and via social networks
• Mom and dad, who need to develop some real skepticism about email pleas from long-lost relatives

No matter our age or our job, we all face cybersecurity risks. But these risks take different forms, and what we need to know and do to protect ourselves differs across our roles. The way you educate must reflect those differences, or it will be irrelevant and ultimately ineffective.

Recommendation: Tailor all cybersecurity-related training and communication to roles (whether they be job roles or phases in life) to ensure the information is relevant and actionable.

3. Make it engaging

If we ever expect cybersecurity knowledge to become a foundational element in our culture, we need to take our cues from advertising, communications, and PR. (And not, I’m sorry to say, from conventional training practices). Look what Smokey the Bear did for preventing wildfires or what “Where’s the Beef?” did for hamburgers.

Simple slogans or interactive experiences, clearly and repeatedly delivered in fun and relevant ways, do far more to build awareness than the long, dry training courses that are so frequently hailed as the solution when it comes to cybersecurity. Even the now-common simulated phishing attacks can be made fun and engaging (and not punitive) if they are made part of an ongoing quest to see which employees can spot the phishing lures. Is there a risk in using humor or games or shock tactics to communicate about cybersecurity? Sure. Some people won’t get it or may be put off by a particular approach. But the risk of boring people is much greater. If people are bored, they’ll never learn.

Recommendation: Engage in a comprehensive campaign to get people talking about cybersecurity with features like games, phishing simulation, posters, and videos. The more varied ways you can present your message, the better.

4. Use technology for good (or, don’t be big brother)

The technical capacity in today’s cybersecurity marketplace is staggering. Within just a few years, artificial intelligence will likely be able to identify, predict, and prevent nearly all nefarious behavior within our IT infrastructure.

With these advances, though, we face the risk of so over-controlling and over-restricting behavior that we throttle individual initiative and innovation, alienating the very employees and citizens we seek to protect. Already today, some organizations so restrict employee behavior within the IT environment that people feel like they are stranded on a desert island. The employees of such organizations resent such restrictions and seek ways around them, leading to the exact opposite of what these tools are trying to achieve: increased risky behavior.

Restriction and control are not the answer. We have an opportunity to use technical wizardry for good, however, if we pursue a people-centric security strategy that recognizes that technology is there to facilitate human innovation and then deploy technical controls that don’t unnecessarily restrict behavior. Examples of the latter are behavioral analytics tools that identify risky behavior and provide relevant education at the time of the action. Such tools free employees to act for the good of the organization while also identifying and restricting persistent dangerous behavior.

Recommendation: Deploy technical solutions that enable innovation while protecting information.

5. Share

I’ve presented at and attended meetings of the Federal Information Systems Security Educators’ Association (FISSEA), a group of information systems security professionals in the federal government dedicated to educating employees about cybersecurity. They are some of the smartest people I’ve met in this field, easily as capable as their peers in the private sector. And yet because of budgetary constraints and lack of available technology, they must beg, borrow, and steal to create meaningful and relevant awareness programs. Again and again, I heard these professionals lament their inability to make progress due to these constraints, which reflected the lack of emphasis on cybersecurity from the top down. It’s time to support a risk-aware culture across the federal government with a significant investment in education and communication.

Recommendation: Invest in the creation of a federal level cybersecurity curriculum that includes multi-faceted and modular training, games, videos, posters, and more, and then make that curriculum available to all federal agencies. Also, fund the capacity to customize the content for the individual organization.

My advice ultimately comes down to this: All the technical investments in the world won’t solve your cybersecurity problem unless you get the attention of all employees and ultimately all citizens, and then provide them with positive models for protecting information. It’s being done already at companies throughout the nation. Now it’s time for you to lead the effort at a federal level.

I wish you the best.

Tom Pendergast is Chief Strategist of Security, Privacy, and Compliance at security awareness company MediaPro.