Governors, mayors and other elected officials are faced with many challenges. Running their jurisdictions is complex and fraught with difficult decisions, all in the public eye, with every action scrutinized. The digital age and new citizen expectations require elected officials to embrace technology to help transform government to improve both public services and interactions. Such changes can encourage more citizens to plant roots in their communities, and elected officials should aspire to this result.
But elected officials also need to ensure the excitement and investment around innovation does not disrupt existing services or increase cybersecurity risks. With the advent of cloud computing, software as a service and the Internet of Things (IoT), governments are being inundated with new solutions. Because some of these seem easy and affordable, they are being implemented very quickly and sometimes outside of established controls.
It would be short-sighted to assume that technology staff across government will address cybersecurity as part of innovation initiatives. Since a cyber program is only as strong as its weakest link, and since a breach can cause significant economic and personal hardships, here are 10 questions every elected official should be asking about cybersecurity in their jurisdiction:
1. |
What is my role in the cybersecurity efforts of my jurisdiction? Get briefed on the overall cybersecurity posture, ensure information is shared with key critical infrastructure companies (or top local companies) and advocate that adequate protection controls are in place and monitored. |
|
2. |
Has my jurisdiction adopted the NIST Cybersecurity Framework? Help ensure an overall cybersecurity management framework is in place to make improvements and ensure cybersecurity programs mature in higher risk areas. |
|
3. |
How are cybersecurity activities funded in my jurisdiction? Work with stakeholder organizations to understand cybersecurity needs and help broker the right discussions with budget officials |
|
4. |
Do we have a strong cybersecurity team and a plan to deal with the market’s shortage of cybersecurity talent? Be aware there is a huge shortage of cybersecurity professionals and support an innovative recruitment plan. |
|
5. |
Do we have an up-to-date breach response plan? Assume a breach will occur at some point while in office. Make sure there is a breach plan to help minimize the fallout. How government responds to a breach is very important. |
|
6. |
Do we have an executive dashboard that helps us know when and why to make cyber investments? Ask to see a dashboard of cybersecurity activities to gain a better understanding of efforts and investments. |
|
7. |
What agencies and departments are at the highest risk of an attack or breach? Ask to see the catalogue of data systems within the jurisdiction, what data is at risk, and the current level of protection. |
|
8. |
Do we require regular cyber-awareness training for our employees? Be aware that many cyber issues stem from employee behavior. Ensure ongoing training and measurement of the effectiveness of this training. |
|
9. |
Are we communicating with critical infrastructure organizations to ensure economic viability? Recognize that sharing information about cybersecurity threats is not a weakness but a strength. Most important is to share (both ways) information with critical infrastructure organizations. |
|
10. |
Are we constantly communicating with stakeholders, including constituents, about the likelihood of a breach and how to be prepared? Champion cybersecurity communication. Ensure the jurisdiction is doing everything it can to mitigate and prevent breaches, but is also prepared to isolate and respond quickly if a breach occurs. |
If an elected official isn’t asking these questions, they aren’t invested enough. The temptation to think about cyber security as someone else’s problem or that the challenges are too difficult to address may be there, but the public expects elected officials to do what they can to protect, prepare and respond to cyber incidents. A new report entitled, “Guide to Cybersecurity as Risk Management: The Role of Elected Officials,” jointly published by the Governing Institute and CGI, is available to help navigate this complex landscape.