Federal agency CISOs obviously have a lot to do – like securing networks, for one – but they’re also busy “selling” cybersecurity within their agencies to leadership across the organization, a panel of Federal security chiefs explained Oct. 22 at the ACT-IAC Imagine Nation 2019 conference.
Panelists acknowledged that agency top leadership often are not security experts on their own. And that leaves CISOs to help fill the vital gap of educating leaders about security – and what that costs – while at the same time without overwhelming them with jargon and more information than they need.
“We sell cyber to the agency,” said Emery Csulak, CISO and Deputy CIO for Cybersecurity at the Department of Energy (DoE).
Janet Vogel, CISO at the Department of Health and Human Services (HHS), said her office conducts a wide range of outreach to agency personnel on security issues, and tries to keep the presentations fresh. For example, a recent training session adopted a “Cyber Escape Room” theme, she said.
Steven Hernandez, CISO and Director of Information Assurance Services at the Education Department, said it’s important for CISOs to “inspire” better planning for agency security by discussing funding priorities, and the need to leave behind security practices whose time has passed.
The message on security can best be delivered with “stories to excite” the audience, he said, adding, “you need to make it easy for people” to grasp.
Csulak agreed, advising to “make it easy” for leadership “to understand the value of security and what you want to do … You need the willing to come along with you.” He continued, “It’s not about security being difficult to do … it’s about making it easy to adopt.”
And if something does go wrong on the security front, said Paul Cunningham, CISO at the Veterans Affairs Department, agency leadership wants to see “a calm hand on the tiller,” and security professionals who are able to explain problems and solutions “in almost a layman’s way.”