While many state and local elected officials like to talk big on cybersecurity — consider Maryland Gov. Larry Hogan declaring his state the “cyber capital of America” — getting them to focus on the issue in the proper context requires a careful approach, a group of IT leaders said at a conference last week.
For starters: Don’t frame it as a technology issue.
Speaking at the Michigan Cyber Summit last Thursday, the chief information officers of four states, as well as those from Detroit and surrounding Wayne County, said conversations about cybersecurity with their respective governors and mayors are more productive when they focus on business risks instead of specific technical issues.
“I have an open door with the county executive,” said Wayne County CIO Hector Roman. “It’s not on technical terms. They don’t care what’s shiny or new, it’s about what you can do to keep the county protected.”
Indiana CIO Tracy Barnes, who came into his job with statehouse experience as a former chief of staff to the lieutenant governor, said he “rarely” talks about technology with Gov. Eric Holcomb’s inner circle, or with state lawmakers.
“Most of the conversations are based on the impact of the agency missions,” he said. “I think it’s our responsibility to keep shining the light on enterprise.”
Even with a less-technical approach, the CIOs on stage said they still frequently run into elected officials’ hope that cybersecurity is an issue that can be permanently resolved, rather than viewing cyber as an ongoing effort.
“The fear message I’m not a big fan of, and it creates belief cyber’s a problem to be solved,” said West Virginia CIO Josh Spence, who previously served as that state’s chief information security officer.
Elected officials, he said, are often tempted to ask simply if the state is “secure.”
“Pretend I’m the fire marshal and ask me if the building is fireproof,” Spence said. “Should there be a fire, we manage the risk.”
Detroit CIO Art Thompson said he’s also had to be blunt with his city’s top brass.
“When I first took this role I was asked what it will take to get secure, and I laughed,” he said. “You want to be safe and protected? Turn off your computer and unplug it. We have regular meetings and talk about this as a risk. It’s not something we can spend on and make go away.”
Michigan CIO Laura Clark, who doubles as her state’s chief security officer, said there’s an “ongoing conversation” on cybersecurity with the leadership in Lansing. Clark said she’s often accompanied by officials from the Michigan State Police and National Guard, which also play major roles in the state’s cyber operations, especially on incident response.
“You don’t want the first time you’re talking to your governor to be when you’re asking them for money or because there’s an issue,” Clark said. “Tech is our field, not their field. But the way how cybersecurity has become mainstream media, it’s how you’re helping them not be that headline.”