Advice for Government Agencies in Starting a Formal InfoSec Program, Part 2

Based on last week’s blog post we’ve determined that your formal information security (infosec) program strategy should address:

  • Taking stock of what your agency does and what the critical services provided are.
    • Criticality, much like beauty, is in the eye of the beholder.
  • Doing the basics when it comes to information security:
    • vulnerability scanning
    • patching
    • user account management
    • proper permissions

Here are some other thoughts to consider. Again, please note, this is not intended to be a comprehensive list. The hope is by reading this you know enough to identify the capable resources (internal staff and/or vendors) who can help you on this journey. At a minimum, this blog post should raise additional questions!

Before You Can Move Forward, You Have to Know Where You’ve Been

More succinctly, how mature is your information security program today? This can be painful to answer but it is absolutely necessary. Why? A couple of reasons:

  • You are establishing a baseline by which you can develop realistic goals – ones that are tangible and accomplishable. It’s no different than being an overweight, middle-aged guy (coincidental, by the way) and wanting the next step of my journey to be a successful cage fighter. Not realistic. However, if I am honest with myself I can develop a plan that eventually (theoretically) gets me to a stage where that might be accomplishable or attainable.
    • NOTE: Articulate your truth/baseline in writing. Why? This way you can shape the assessment the way you think appropriate. Additionally, there is less room for creative interpretation of “what you meant.” What you meant is what you wrote. Plus it’s cathartic.
  • If your agency is like everyone else’s, you have finite money and resources, finite to the point where you can’t do everything at once. Use your maturity assessment to help focus on where your biggest pain points are.

Where Is the Greatest Risk, Reward and Opportunity?

OK, this is a mouthful but look at it this way – one of the reasons why organizations go through the time and expense of developing a strategy is so they can articulate where they’re at, where they want to go and the best way to get there. InfoSec is no different.


The goal of information security isn’t to eliminate risk – this is impossible. I know it is dangerous to use absolutes but I feel pretty good on this one. If you were able to hit perfection and eliminate all organizational risk, that feel would probably last a whole five minutes. Our job (as mentioned in previous posts) is to reduce the information security risk of an agency to a level that is acceptable to your management. If this is the case, shouldn’t risk factor into how our strategy should be laid out?


This one is generally open to interpretation. Reward can be defined as revenue, notoriety, improved efficiency, etc. I use reward as another variable in how Maricopa County’s InfoSec program was developed. In my case, reward equaled the ability to progress the goals and objectives of Maricopa County. Plain and simple – does our security strategy help Maricopa County get closer to its goals and objectives? If not, then why are we doing what we’re doing?


Perhaps a better way of saying this is timing, although that is not all I mean by opportunity. Being a good planner is not only knowing what to do but when to do it. Program development is no different. It is actually harder in my opinion. Why? For a more detailed description, please check out https://apmg-international.com/article/difference-between-project-and-program. In a nutshell, a project is a single effort to deliver a tangible, quantifiable deliverable. A program is an effort that takes multiple projects, usually related to one another, and consolidates planning under a single program.

So what’s this have to do with anything? No agency, company, etc. exists in a vacuum. Typically the departments within said org don’t either. As such it is important to understand who is doing what, when they are doing it and if “it” directly or indirectly impacts your program planning.

For example, we have an identity and access management (IAM) effort underway at the county and just completed phase 1. One of the things we determined was that we needed to identify a single system to track certain identity types. Not a small problem! Fortunately, we were aware that our HR department had just kicked off a project to replace key HR systems. We chatted, and next thing you know, that project’s scope is now accommodating the gaps that InfoSec’s IAM effort identified.  Have your strategy take into consideration other projects and initiatives and see where you might be able to find some synergies!

Thanks again to everyone at GovLoop for the opportunity and to everyone who’s read and commented on the blog!

Interested in becoming a Featured Contributor? Email topics you’re interested in covering for GovLoop to [email protected]. And to read more from our Winter 2021 Cohort, here is a full list of every Featured Contributor during this cohort.

Lester Godsey is the Chief Information Security and Privacy Officer for Maricopa County, Arizona, which is the fourth most populous county in the United States. With over 25 years of higher education and local government IT experience, Lester has spoken at local, state and national conferences on topics ranging from telecommunications to project management to cybersecurity and data. His current areas of professional interest center around IoT (Internet of Things) technology and data management and the juxtaposition of these disciplines with cybersecurity. You can follow Lester on LinkedIn.

Leave a Comment

One Comment

Leave a Reply

Avatar photo Nicole Blake Johnson

Information security is a tough topic to share with the masses, but you’ve found a way to make it practical and relevant to those in and outside the security space. Ultimately, we’re all in this together, so having a shared understanding matters a lot.