An interview with Lester Godsey, Chief Information Security and Privacy Officer, Maricopa County, Arizona
Maricopa County is the fourth most populous county in the nation, sprawled across south-central Arizona and home to more than half of the state’s residents. It encompasses 9,224 square miles, including the state capital, 24 cities and towns, and several unincorporated entities.
Protecting the county’s IT infrastructure from internal and external threats is profoundly important, and Lester Godsey, the county’s Chief Information Security and Privacy Officer, knows that using simple, clear language is among his most important safeguards.
Challenges
Agency IT professionals face a fundamental challenge:
They need officials, politicians and agency staff to embrace — and perhaps fund — risk prevention measures that can save the organization time, money and reputation, but the audiences often have little tech acumen.
Further complicating matters is the fact that governments have multiple departments with different IT needs and sensitivities. In Maricopa’s case, there are 56 departments, including eight run by political appointees with a fair amount of autonomy.
“My job is to protect the organization, and over the years, that definition of protection has extended to brand and trust of the organization as well,” Godsey said.
“I can’t afford to just focus on technology. I have to understand how our sheriff’s office operates and what their unique constraints and requirements are vs. that of the court vs. that of animal care and control vs. that of public health,” he said. “Technology always gets a spotlight,” but communication is just as important.
The last few years in Maricopa County have been a stark reminder that government should prepare for the unexpected. Cybersecurity teams should, and often do, understand existing and potential risks and develop strategies to tackle them — but convincing people to appreciate and guard against those risks is a different matter.
Solution
Godsey defines “plain language” as “language that’s used and is understandable by the widest audience, or the audience at the time.” This means avoiding acronyms or industry jargon and putting information in context, making it relevant to the people you’re approaching.
“If you can couch things in terms of risk, that’s something that conceptually everybody understands,” he explained.
“Now, risk could be measured by a variety of different things, right? It’s not just loss of money [or] loss of services. What we’re finding that resonates with our elected officials is loss of trust by the public. Reputational impact is really what resonates.”
For county departments that typically enjoy a certain degree of political independence, Godsey works to ensure a uniform, enterprisewide approach to cybersecurity by stressing cyber threats’ apolitical nature. He tells department officials that “the bad guys don’t care about [political sovereignty]. They’re just looking for the path of least resistance, and once they get in, we’re all at risk, and so it behooves all of us to be on the same page.”
To entice county officials to participate in a tabletop exercise to help prepare for 2022 election threats, Godsey’s team phrased the invitation simply, explaining the potential fallout from a cyber breach. “We had a packed house, and the feedback we got was really positive,” he said.
Because department staff often disregard cybersecurity outreach from management, Godsey’s team developed another effective plain-language communication tool: a “cybersecurity cadre program,” in which line staff organization wide “help spread the gospel of cybersecurity” to their colleagues, “people who don’t know who that Lester guy is,” he said.
Outcome
An effective cybersecurity program relies on basic marketing skills, and Godsey sees himself, in part, as a salesperson, telling the right stories to the right audiences.
The approach has “really paid dividends in terms of awareness and support for information security. That’s really bought us a lot of internal credit, and information security’s really viewed highly within Maricopa County in terms of the services we provide and how we go about doing it,” Godsey noted. “It’s made my job subsequently easier, whether [I’m] requesting funding for initiatives or getting support within other departments for things we’re trying to accomplish.”
This article appears in our guide “Bright Ideas for Making Cyber Stick.” To see more about how agencies are implementing cybersecurity, download the guide.
Leave a Reply
You must be logged in to post a comment.