Elected and appointed officials take an oath affirming their willingness to undertake the duties of their office. The intent is to swear they will do the “best they can” to represent those who elected or appointed them, and do so with “honor and integrity.”
For governors, mayors, legislators and even appointed agency leaders, this means managing resources efficiently and in ways that provide great service to their constituents. Increasingly, as more people and devices are connected in the digital age, “doing their best” also means supporting technology to improve citizen services without leaving those services or citizens’ exposed to the consequences of a cyber breach.
While elected and appointed officials are not the ones applying cyber defenses or remediation, they can “do their best” to ensure effective security is part of existing technology infrastructures and any future modernization or innovation efforts.
In spite of cyber challenges, the world is moving ahead with digitalization - and citizens increasingly expect its use in government. Technology advances are hard enough for practitioners to keep up with, let alone elected officials who are starting to realize what an enabler and a force multiplier it is for improving citizen services. So, where can elected officials and appointees start their journey to understanding, thinking about and mitigating the risk of cyber incidents?
In a previous blog post, I posed 10 questions elected officials should ask about their jurisdictions’ cybersecurity programs. Here, I’d like to share these key actions from a cybersecurity checklist for elected officials in, “Guide to Cybersecurity as Risk Management: The Role of Elected Officials,” published jointly by the Governing Institute and CGI:
- Use the NIST Cybersecurity Framework to measure the maturity of existing cybersecurity program. The NIST Framework provides a roadmap for cataloging assets, assessing current risk, and determining priorities for improvements. This can help elected officials know which cyber budget investments should be prioritized to focus on areas of the biggest risk. Please see a recent blogpost by my colleague Mike Corby on this topic.
- Vigorously promote a security culture by requiring all employees to undergo regular cyber-awareness training. Most cyber breaches involve two parties – the bad actor trying to penetrate, and the unaware employee who accidently clicks on an e-mail prepared by the bad actor. Elected officials need to visibly support and promote cyber awareness training and measure its effectiveness.
- Collaborate with the private sector to create a secure, technology-friendly culture for conducting business. Business and government need to work together to combat cyber criminals. Elected officials should encourage close coordination between local business and government and share threat information as it is mutually beneficial.
- Require dashboards that show progress on cyber program maturity and types of threats identified. Cyber dashboards come in many different flavors; some are very detailed and are generated by cybersecurity tools. Elected officials should be asking for higher level dashboards related to measuring improvements in the overall security posture and maturity of the program.
- Implement tools and technologies that provide constant measurement of capabilities. Performing periodic reviews of an organization’s cyber protection is no longer a viable option. Elected officials should ensure that their organizations are implementing continuous diagnostics and monitoring tools to measure their cybersecurity posture on an ongoing basis.
While cybersecurity is a big challenge in digitalizing government services, it should not stop elected officials and agency heads from being champions of innovation. They simply need to ensure that the innovation is managed securely with the right leadership and partners. In this way, they will be “doing their best” to serve their constituents.