VENKATAPATHI Commentary|BY VENKATAPATHI “PV” PUVVADA “PV” PUVVADA
is president of Unisys U.S. Federal.
How to report cyber strategies to senior leaders
Federal agencies can look to the private sector for the proven elements of a successful executive briefing
Although it might not be surprising that Americans are deeply concerned about cybersecurity, that anxiety has grown dramatically in the past few years. This year’s Unisys Security Index found that concern about hack- ing and malware in the U.S. increased by 55 percent since the consumer sur- vey was last performed in 2014.
As Ron Ross, a fellow at the Nation- al Institute of Standards and Technol- ogy, told FCW in June, the survey results illustrate the need for federal security professionals to allay some of those concerns with better-engineered IT systems that could serve as models for other organizations looking to build cybersecurity into systems from their inception.
I wholeheartedly agree with Ross but would add a next step: Govern- ment security professionals must be prepared to crisply communicate to senior-most government leaders the steps they are taking to improve secu- rity and actively collaborate with key stakeholders across all functions.
The recent cybersecurity execu- tive order from the White House holds agency heads accountable for implementing the correct cyber risk management measures within their organizations.
To succeed in that endeavor, fed- eral CIOs, chief information security officers and their teams must com- municate their activities and strategies to agency and department heads in
a manner similar to the way security professionals in the private sector regularly report to their boards of directors and senior leaders.
Those interactions are most effec- tive when information is presented in concise, easy-to-understand terms that provide a general overview to agency leaders while also giving them options to drill down for more specific data.
A number of agency security leaders very effectively use similar approaches that also take into consideration gov-
Government security professionals must crisply communicate to senior-most leaders the steps they are taking to improve security.
ernment requirements, directives and regulations.
Such briefings typically include four key elements:
• Security strategy summary. This document should include a check-
list of completed actions. A separate column should list in-process and planned future deployments related to solution rollouts and compliance efforts — each with an expected completion date.
• Dashboard of key metrics. A dashboard view of the most impor- tant security metrics is an effective way to communicate the current state and performance view of security. The information could be broken into segments covering metrics related
to employees, end-user security, network security, server security and application security, for example. Metrics might also include updates on measures taken to define and address vulnerabilities.
• Top five ongoing and future risks. A prioritized list would give leaders a snapshot of areas that require focus and attention. It might include items such as internal and external threats, data breaches and data classification issues and should also communicate the organization’s risk assessment matrix and processes. It might be helpful to include color- coded buttons (green, yellow, red) denoting the status of efforts to miti- gate each risk.
• Attack threats and controls. Agencies should align specific threats with the steps taken to alleviate them. For example, they could note the pro- cesses and tools being used to address phishing attempts, data exfiltration and brute force attacks. As with key security metrics, they could be clas- sified by specific segments of agency systems.
By effectively communicating security strategy and activity to senior agency leaders, federal security professionals can also lay the ground- work for better communication with members of the general public who are now experiencing a heightened awareness of cybersecurity issues.
Doing so will improve awareness of the steps the government is taking to address those issues and the ways in which the private sector and the public can contribute to those efforts. n
August 2017 FCW.COM 25