Cybersecurity isn’t a monolith. It isn’t one action or tool, and there’s constant change. With this in mind, what can employees, supervisors and security professionals do to continuously align with strong security practices? How can they develop secure habits that support agencywide goals such as hybrid work?
We’ve outlined four key areas that can bring security down to the desk and device levels so that all employees can be part of the solution.
Awareness: Acknowledge & Address Cyber Fatigue
Challenge: A barrage of agency emails, bulletins and news alerts inundate employees with reminders to stay vigilant. But information overload is a real concern.
The reality is: “We as humans can only take a measured amount of that, so we have to be judicious, and we have to make sure that we don’t just make it so common and so easily ignorable,” said Christopher Rein, New Jersey’s Chief Technology Officer. “It’s like that email you get every five minutes; pretty soon, you’re not going to even open them. You’re just going to click and delete. You don’t want that to happen with cybersecurity.”
What’s at stake: Public trust is only as strong as a government’s ability to do what it says it will do, which includes protecting people’s private data. “What we’re really selling is confidence to our citizens — confidence that we can protect their data, we can secure it, we can give them secure access to systems,” Rein said.
Solution: Agencies must be intentional about when and how they communicate security-related issues with their workforces. “It’s a battle, and it needs to be fought every day,” Rein said. That battle will look different for every agency and employee, depending on their roles, but the key is helping employees view and treat cyber as one of their core responsibilities. Show them how to remain sharp when it comes to security habits and practices while ensuring that the message resonates and is tied to outcomes they can understand.
Communication: Explain the ‘Why’
Challenge: Buzzwords are a turnoff. Take zero trust security. “It is a bad name,” said Jim Richberg Public Sector Chief Information Security Officer (CISO) at Fortinet, who spent years in the intelligence community before joining the private sector.
Solution: Agencies must make concepts plain, real and tangible for their workforces. How does a security practice impact or support the way they work, where they work and whom they serve? For example, zero trust security, which is now a hallmark of the federal government’s cybersecurity strategy going forward, lacks clarity. “[Zero trust] does not mean your people are not trustworthy; it means trust should not be locational,” Richberg said.
Keep it simple: Richberg described zero trust security as a way for the government to “get beyond the Tootsie Pop approach to cybersecurity,” or the belief that IT networks are hard and crunchy on the outside and soft and chewy on the inside. Knowing that threats can come from both inside and outside agencies, zero trust is a way of operating that says, once we confirm you are you, then you’ll get reasonable access to do your job and nothing more, Richberg said. “One of the hallmarks of zero trust is really making sure that you have a detailed understanding of the data and transaction flows within your environment,” said Ryan Higgins, CISO and Deputy Chief Information Officer at the Commerce Department.
Shift your thinking: Higgins added that zero trust security takes into consideration the complexity of modern networks and the mobility of users. Ultimately, internal and external users want to complete tasks. Supporting ease of use for them requires a shift in thinking that emphasizes protecting information and missions at the data level — an area that traditional security measures haven’t focused on, Higgins said.
Education: Clarify the Role Employees Play in Cyber
Challenge: “Cybersecurity is a team sport” has become a universal talking point. It’s true, but do individuals truly know their roles? Beyond annual security training, it can be hard for some employees to see the link between their personal actions – even when they’re harmless and well-intentioned – and organizational consequences.
Solution: The key is making clear what’s in it for employees. For example, how can they play a part, and how can they better understand what’s at stake? At the Government Accountability Office (GAO), Director of Information Technology and Cybersecurity Jennifer R. Franks communicates this message with a mixed generational team by drawing the connection between their social lives online and their work. For example, putting location tags on photos and sharing one’s whereabouts, especially as government employees, can make people a target.
User training: Richberg noted that bad actors are using artificial intelligence (AI) and machine learning in crafty ways that make it hard for users to spot malicious emails and content. “We really need to help our employees be a little bit more diligent,” Franks said. She suggested that agencies keep training fresh by including more tactical approaches such as phishing, malware and social engineering exercises. The goal is creating an ongoing awareness that even at home or outside their agencies’ networks, employees can play a critical role in keeping their organizations secure, Franks said.
Beyond training: It’s about more than clarifying roles, but also enabling employees. “We have people in [security operations centers] who are dying from too much data, too many solutions, having to manually integrate things that should be automated,” Richberg said. His message to executives: “Focus some of that spending on things that will do the automation and that won’t kill your people with thousands of alerts per shift.”
Collaborate: Don’t Wait Until an Attack Happens
Challenge: Today’s security landscape has more threats than ever. Yet too often, agencies operate in silos and do not share intelligence about these threats. Frequently, the result is that IT managers miss crucial insights and agencies are left unprepared for disruptive security incidents. “If you only start trying to learn to collaborate after a bad thing has happened, you’re too late,” Richberg said.
Solution: Like the military, agencies must learn how to fight while training in collaboration and security tactics. The training doesn’t have to be high-tech or elaborate to be effective, Richberg said. Even hosting a tabletop exercise can help uncover gaps. These discussion-based sessions can provide a space for team members to meet informally and understand their roles during specific emergencies. . Metrics matter: Metrics matter and help drive accountability, Rein said. Accountability fosters collaboration. Sometimes, that collaboration comes in the form of healthy competition, especially when everyone is chasing the same goal. For example, when New Jersey made a push to adopt multi-factor authentication, it was a statewide effort, complete with metrics that showed which organizations were leading the charge.
“One thing the cabinet members don’t value is being embarrassed by their peers,” Rein said. “So, metrics do matter. You don’t want to use it in a pejorative way, you don’t want to use it in a shaming way, so there is some sensitivity in how you use those metrics, but I can’t think of a better building block.”
Creativity also counts: Now is the time for agencies to explore alternatives outside the traditional approach to security. Cybersecurity benefits from the creativity of those from diverse backgrounds and disciplines, Higgins said. His advice: “We need to further infuse our workforce with new ideas, new energy and tap into the most talented individuals we can find.”