How to Spark Effective Conversations on Cybersecurity, Policy, and MissionJune 21, 2017
Are we getting cybersecurity "right?" As a cybersecurity professional, I often wonder as we advise concerned agency executives on the many thousands or even millions of dollars they will need to invest in security measures to be "secure." Many times, this advice is based on a short paragraph description of the mission or service, plucked from reams of documentation driven by organizational and government policy requirements such as cyber risk assessments or security plans.
Some of these policy requirements have provided excuses for IT/security executives, mission executives, and even policy experts to avoid basic conversations; the process has stolen the conversation. As with other aspects of the policy and technology gap, we must look beyond what is required by policy and what can be achieved by technology to ground both in a comprehensive understanding of the organization’s mission and balancing cost.
Neither policy requirements nor security exists to hinder missions, yet both do when applied blindly. As such, the gaps between policy and technology can be felt most keenly when mission leaders and security professionals fail to come together in the spirit of getting something done with unity. We can increase the effectiveness of security measures with an effective conversation about the mission, policy implications, and security. After all, policy and security exist to assist in securing missions while ensuring that civil liberties and other legal and policy constraints are met.
Do You Have the Right People in the Room?
Having an effective conversation means first having the right people in the room. The people who need to be in this conversation are those who have the authority to make final decisions for the mission. And the more senior the participants, the better, ideally including mission executives such as program leads or mission directors.
The security professionals involved in the conversation must be senior enough to approve or be responsible for the security for that service, such as a CISO or IT executive. These cybersecurity executives must understand the relevant national and local policies applicable to the mission or bring in the policy experts who can provide that insight; international missions may additionally require treaty and international agreement expertise.
For those executives on all sides of the conversation who don't think they have the time for it, I ask, would you have the time if this 15-minute conversation could save you millions of dollars? Or possibly prevent an embarrassing cyber event? Or significantly increase the effectiveness of the mission? Having these conversations also builds trust and cooperation among IT executives, policy experts, and mission executives, which is necessary to truly secure missions.
Do You Understand the Mission First?
Once the right participants are in the room, the person to provide information first is the mission executive. And, this is tough, but the role of the cybersecurity executive is to listen and seek understanding, without thinking about all the security to be recommended; trust me, I must even stop myself on this one.
We need to ask ourselves questions, including what about the mission is valuable to you as a mission executive? The richer the picture the mission executive can paint, the better. For example, if my mission is to provide weather maps to military troops in combat, I would want accurate and rapidly available maps; I'm picturing a soldier pulling out a smartphone, and the weather map is just there and ready. From a security perspective, it's probably not going to be helpful if the military combatant must log in to the application to find out if it's cold enough to sustain ice with bullets zinging; likewise, privacy is probably not a top concern. The point is that the security needs to be flexible and designed in context of a mission and environment.
Are You Seeking to Be Understood?
We all do it. We have our own languages or jargon specific to what we do for a living; we develop a short-hand way of communicating among our peers to convey complex ideas quickly, and we (usually) understand each other.
We sometimes use language as a barrier, indirectly implying that what we do is too complex to be questioned, or we substitute buzzwords for deep thought. Cybersecurity jargon and its cousin, policy jargon, are infamous for their ability to bedazzle and overwhelm those not accustomed to this "speak." The fastest way to clear a room at a party is to start talking about polymorphic encryption and its benefits as a security control for obfuscating personally identifiable information (two bits of jargon in the same sentence!).
By the same token, we cannot underestimate the ability to befuddle others with mission-specific jargon. Even today I wonder what a competency-based approach to organizational efficacy means (if you know, please don't explain). As you enter these conversations, you need to be aware of our collective predilection for our own comfortable jargon and make a deliberate effort to speak in more universal terms, understandable to those in other disciplines. In the end, we all want the same thing—a secure mission.
Is the Proposed Security Reasonable?
Also important is how much the mission is worth to protect. For example, if an application is developed for a mission that minimally impacts a few people, and costs a few hundred dollars and will be used by very few people for two weeks then discarded, it probably doesn’t make sense to spend millions of dollars securing it.
Discussing the worst-case scenario if the mission fails is very informative for understanding how much security is enough. For example, if human lives would be lost if the application is not available, you might spend extra money for redundancy. Likewise, if the temporary application used for two weeks.