This interview is an excerpt from our recent guide, The Future of Cybersecurity, which examines 15 trends transforming the way government safeguards information and technology.
A common misconception is that cyber criminals only target systems. In reality, these criminals target employees to get access to government systems and citizen data. Chesterfield County CIO Barry Condrey says that’s why cybersecurity is not just about sophisticated technology, but also about leveraging your workforce to help create a secure environment.
“Something we constantly reinforce with our employees is that they are the target,” Condrey said. “Employers need to begin putting cyber language in job descriptions for a wide variety of people. We consider contractors, kitchen staff, code developers, vendors, and vendor employees all as part of our cyber workforce.”
With increased dependence on technology comes an increased need for awareness in the cyber workforce, especially of dangerous assumptions that can affect an entire organization’s information security program.
Assumption 1: The more IT skills a person has, the less you have to worry about securing the environment.
This stereotype promotes the idea that IT people intuitively know what to do in the event of a breach. Although they may be more knowledgeable in such circumstances, organizations should not solely depend on IT personnel.
Take database administrators, for example. “They’re an example of a group that really does need extra cyber training as well as mitigation strategies,” he said. It’s important to ensure that the general workforce is well trained in order to avoid the moral hazard of overdependence on tech staff.
Assumption 2: More money means more security.
Some leaders assume that by spending a lot of money on equipment and new technology, they will create a high-security environment. However, given the ever-increasing complexity in cyberthreats, Condrey said, we can’t rely on technology alone to keep pace. “It’s really the human element and it’s how well you’ve used the equipment that will reduce your risk profile,” he said.
Assumption 3: Millennials leak the most information.
“You’ve probably heard the stereotype of millennials being leaky because they’re so plugged in. We find that to be just the opposite. We find a lot of millennials are very focused on their information security. They know how plugged in they are and they seem to know what the risks are,” Condrey said.
The reality is that baby boomers approach technology differently than younger generations. Since they know they understand technology a bit less, baby boomers are usually stronger proponents of information security, which creates the illusion that millennials are less concerned with securing information.
Assumption 4: Organization leaders don’t like security.
The reality is leaders of organizations would rather be prepared for the worst. “People assume chief financial officers, chief executive officers, county administrators, city administrators, and other agency heads don’t want to deal with it,” Condrey said. “My experience is that CFOs and people in leadership don’t like surprises.” In short, don’t be afraid to communicate details of any information security problems to higher-ups.
Assumption 5: Some organizations don’t have information worth stealing.
Any government organization has information worth stealing, even if everything is public and shared with citizens. “Even if you don’t think you’ve got information worth stealing, you have the public trust. You have a certain degree of responsibility, no matter what your position or your line of business within the organization, to keep information secure,” Condrey said. No matter how transparent the organization, information is always vulnerable.
Be sure to read the rest of Condrey’s interview in our new guide, The Future of Cybersecurity.