The Cyber-Savvy Agency
10 steps to a new cyber mission discipline
Agencies are moving their missions and programs further into cyberspace to achieve more—from next-generation citizen services to national security. For better or worse, the government’s Cybersecurity efforts are increasingly interconnected - inextricably linking daily decisions on performance and information sharing with risk management and prioritization at every level of the organization. And across every department — from IT to human capital to finance and acquisition.
Today’s leaders are taking a fresh look at what this changing paradigm means for their agency’s policies, processes and systems. Here are 10 steps to synchronize Cyber initiatives and empower agencies to collaborate across departments to protect their people, programs and mission.
- Expand security beyond IT
Security as usual is security at risk. Treat Cybersecurity as an IT-only concern, and over time such misperceptions can erode the cyber infrastructure and limit agencies to only incremental gains. Get everyone — CFO, CHCO, CAO, CIO, CISO, CTO, program leads and others — at the table to back the business case, choose priorities, and drive change in their department.
- Treat data as a target
Agencies make attractive targets—prized for their vast stores of information, including information about our nation’s economy, health, technology, energy, etc.—exploited for competitive, monetary, or adversarial advantage by organized cyber criminals and hostile nations. Understand the value of all your agency’s assets and quantify the potential implications of your priorities. Protect what matters most to the mission and preserve the public’s trust.
- Set Cyber performance goals
A Cyber governance framework can help leaders see what Cyber initiatives are successful — the first step to establishing a performance-oriented, results-focused approach. Agencies that can see what’s valuable can shorten their learning cycle and better drive lasting change.
- Automate Cyber processes
Use real-time prioritization and process automation to lock in efficiencies. Use existing technology to minimize costs, lag times, and disruptions. Create a disciplined, repeatable, controls-based approach to help reduce redundancy and rework and free up employees to focus on the mission.
- Expand identity management
Know who you’re dealing with online without having to credential everyone. An identity credential and access management (ICAM) framework can empower agencies to protect personal identities and privacy as well as physical and “digital” facilities. As the agency grows, ICAM can let you expand partnerships and add services without more layers of security or more cost.
- Cultivate Cyber leadership
CISOs, CTOs, and CIOs must become change agents to drive Cyber initiatives. As agencies choose their own Cyber leaders (or teams), it may not be who you expected. Look beyond functional and technology expertise when vetting new leaders — people and change management are critical to getting big things done.
- Manage risk
All roads lead back to risk. Strong controls in one area don’t count if you are vulnerable somewhere else. A 360-degree view of your agency’s risks can help all departments make better decisions, set priorities, manage investments and measure results. Risk-based decision support can help enhance security and improve performance, while lowering costs.
- Move to a faster tempo
Agencies must hone situational awareness. Develop predictive tools to synthesize threat intelligence that quickly translates into actionable operations around both current and emerging risks. More than just speed, a cyber-savvy agency is agile — whether it’s tackling changing Cyber threats or agency missions.
- Cultivate workforce resiliency
Increase vigilance. Dedicate resources to help the workforce recognize the risks, threats and vulnerabilities of Cyber space. A secure workforce knows how their actions can pose risks and recognizes when the patterns of behavior in others indicate increased vulnerability or a risk of asset exploitation.
- Broaden your view
Baseline who is working for you and with you — from employees to contractors. Think outside your network, too. Cyber-deterrence compels agencies and nations to establish public / private partnerships with new, non-traditional partners. Follow the flow of information inside and outside your agency to identify vulnerabilities. Strengthen every link in the chain.