One of the most common questions posed to information security professionals is, “How do you convey the importance of information security to the board/CEO/etc.?” My response is always equating infosec to risk.
The majority of people in charge do not have a good technical grasp of information security. Conversely, this shouldn’t be a prerequisite for your CEO, etc. In my case, if the county manager or board felt the need to become cyber experts to support the county, I’m not doing my job. So, how can we relay the importance of information security to top leaders? By equating how information security can reduce risk to a level that is acceptable to the organization.
How do you define risk? In layman’s terms, it’s the likelihood of an event occurring and the impact of said event. Pretty straightforward, right? So how do you respond when your agency asks, “How can we guarantee we’ll never get successfully hit by ransomware?”
And with this statement comes the first hurdle – managing expectations. Step one is getting those in charge to understand a universal reality. Short of unplugging everything that uses electricity, you cannot “guarantee” complete cybersecurity. As far as information security, short of lighting everything containing information on fire, there is no equivalent guarantee of security. The sooner your leadership accepts this reality, the sooner you can get on with your risk efforts.
Now comes the more nuanced part of information security risk. Maybe another way of saying it is by asking yourself some questions:
- Can your agency articulate in clear terms how they measure risk?
- What is the organizational appetite for risk?
- What is your agency’s sensitivity or tolerance towards risk?
- And, what are the agency’s thresholds for information security risk?
One important note – these questions and concepts apply beyond information security. These are important to project management and other disciplines like enterprise risk management. Of course, our focus is on information security. So let’s tie this concept to government agencies and the challenges they face.
The first bullet is a pretty fundamental one. Your information security team, whether one or 100 people, should be able to explain how information security risk is measured. Not to stereotype, but almost all private-sector agencies factor money/cost as the top way to calculate risk. This isn’t to suggest money isn’t an important factor to government, but I would argue there is something that trumps cash. Perhaps a better way of articulating this is a factor that accounts for the fiscally responsible use of public funds – reputation.
I have now worked for three local agencies and numerous higher education institutions. What they all have in common is how sensitive they are about getting onto the front page (digitally and physically) of the newspaper or becoming the lead story on the 6 p.m. news for the wrong reasons. What’s this have to do with information security risk? As mentioned in my first blog, trust is everything to government agencies. This trust is diminished when we fail to protect public resources.
Some government agencies are so risk-averse they will say things like they have zero appetite for risk. This is as unrealistic as the idea of making agencies 100% secure. Everything we do as governments have some element of risk – we have to understand this before we can talk about risk appetite. Obviously, some actions are more “risky” than others. Again, this concept is not unique to information security – financial investing comes to mind.
No two agencies are alike and this applies to risk appetite. Risk appetite is the amount of uncertainty one is willing to accept in return for a positive outcome. For example, lots of agencies say they want to be innovative but there is an inherent amount of risk associated with this philosophy. How many have the stomach to fail in efforts to accomplish something new or unique? Truthfully, many organizations have never thought in terms of information security risk, let alone appetite. It’s the job of people like me to put this concept into context so it’s understood by leadership.
This is why my mantra is to never say no to anyone’s idea! I don’t believe it’s my position to tell management what their appetite for risk is. This applies to situations like ransomware as well. It’s my job to inform them what the risks are, options for mitigation and the like. If I really understand my organization, then I will make recommendations, tying them to the goals and objectives of the agency.
Next week we’ll wrap up our conversation around information security risk and discuss:
- What is your agency’s sensitivity or tolerance towards risk?
- And, what are the agency’s thresholds for information security risk?
Thanks, and keep the comments and constructive feedback coming in!
Interested in becoming a Featured Contributor? Email topics you’re interested in covering for GovLoop to [email protected]. And to read more from our Winter 2021 Cohort, here is a full list of every Featured Contributor during this cohort.
Lester Godsey is the Chief Information Security and Privacy Officer for Maricopa County, Arizona, which is the fourth most populous county in the United States. With over 25 years of higher education and local government IT experience, Lester has spoken at local, state and national conferences on topics ranging from telecommunications to project management to cybersecurity and data. His current areas of professional interest center around IoT (Internet of Things) technology and data management and the juxtaposition of these disciplines with cybersecurity. You can follow Lester on LinkedIn.
Leave a Reply
You must be logged in to post a comment.