Cybersecurity Concerns Across Federal Agencies

Earlier this year, the position of federal cybersecurity czar was voided by the US government.  The reasoning behind this questionable decision was that federal agencies could independently handle issues of cybersecurity management and risk assessment, therefore such a position was extraneous.

Well, if this latest Office of the Management and Budget (OMB) report is any indication, this is clearly not the case.  Without naming specific entities, it states that 71 of the 96 agencies surveyed remain at varying levels of risk for cyber attacks.  Whether there are gaps in their security, or an outright lack of the basic protocols in place (including unencrypted data), many critical organizations just aren’t prepared for today’s ever more sophisticated cyber threat landscape.  Indeed, around 73% are incapable of real-time detection of intruders into their network, leaving them ignorant if a data breach happens to be taking place.

OMB’s note that top executives are not generally involved in these matters—understanding and responding to cyber threats—is a significant factor, in my opinion.

This jives with analyses from Security Intelligence that a disconnect remains between security leaders and their boards, both in terms of their comprehension and their priorities.  This often results in a failure to communicate effectively by both sides, with IT not understanding business priorities and executives not grasping cybersecurity.  According to this analysis, it is incumbent on CISOs (Chief Information Security Officer) to learn how to best communicate their positions to executives, thus helping establish a strong security culture.  This includes demonstrating how your security policies also provide positive business value.  “Our advice to our CISO clients is put yourself in your board executives’ shoes and talk to them in their language,” says Grant Wernick,” CEO and co-founder of Insight Engines.  Short of this, it becomes more difficult to make a board appreciate the needs of cybersecurity.

Other recommendations are simple, yet effective.  Emphasize news headlines: as we’ve said countless times here, as well, nobody wants to be on the front page as the next Target or Yahoo.  Board members recognize this very well.  They also appreciate a visible ROI (return on investment) for security expenses, which makes it important for CISOs to show how they’re progressing and what benefits it’s having for the business.

Similar communication must occur across federal agencies.  Especially while the position at the top stays vacant, or while the US lacks an equivalent to GDPR.  The risks run the full range, from financial to infrastructure to election concerns.  There is no excuse for abdicating responsibility, and not doing everything possible to ensure strong information security.