Cybersecurity is a Journey not a Destination

By Robin Camarote, Cadmus

Cybersecurity tops agency priority lists across government. And for good reason, as Department of Homeland Security (DHS) Secretary Alejandro Mayorkas recently stated, “Cyberattacks have emerged as one of the most significant threats to our homeland.” Additionally, the recent Executive Order and guidance from the White House mandates that agencies move towards Zero Trust cybersecurity principles.

While cybersecurity is a priority for all agencies, the overall security posture of every agency is different. Some agencies, like DHS, have been focused on cyber as core to their mission for decades. Other agencies may have been at it less time but, nonetheless, cite cybersecurity as a key concern in delivering citizen services and implementing systems to support these mission goals.

There is no one-size fits all approach to cybersecurity operations, so how can all agencies make progress against this ever-evolving challenge? Our work across the Internal Revenue Service, Fiscal Service, Department of the Interior and the General Services Administration has taught us that agencies working to create a shared cyber mindset and culture are seeing progress in meeting cyber goals.

To develop a resilient cybersecurity posture at the Fiscal Service we actively engaged employees and leadership on cybersecurity awareness, support and shared responsibility. Our experts helped employees identify personal cybersecurity skill development opportunities. We next developed and executed scalable strategies to help employees adapt to evolving cybersecurity policies and practices. Together with our partners, we stood up a Cybersecurity Strategy Center and built agency-wide awareness of cyber threats and the initiatives to combat them as part of our effort to cement a strong cybersecurity culture.

DHS’ Cyber and Infrastructure Security Agency (CISA) published a zero trust maturity model stating “… zero trust may require a change in an organization’s philosophy and culture around cybersecurity. The path to zero trust is a journey that will take years to implement.” This statement recognizes that in addition to process and technology strategies, agencies must ramp up the focus on culture and adoption of a cyber mindset that goes beyond awareness to employees seeing themselves as part of the solution.

At Wheelhouse we believe that employees at every level must be meaningfully engaged, equipped and prepared to develop, use, operate and follow security policies. It is imperative that leaders create shared responsibility and change behaviors in order to reduce security vulnerabilities.

Here are three proven ways all agencies can build awareness and adoption of a cyber mindset.

  1. Communicate creatively and relentlessly. Shifting from “it probably won’t affect me” to “it can happen to anyone” and from “Cybersecurity isn’t my job” to “Cybersecurity is part of every employee’s job” requires clear, consistent messaging. While traditional communications outlets are reliable, explore creative options such as videos, using employees as ambassadors and supporting peer-to-peer information sharing with talking points and scenarios.
  2. Encourage both personal and shared responsibility. No one heroic employee or team can do this work alone. Minimizing or mitigating risk requires both personal responsibility and collaboration and a willingness to work together across offices.
  3. Create a culture with cyber at its heart. Initiate cross-agency working groups, communities and shared communication vehicles like newsletters and lunch and learn sessions. Encourage these collaborators to host panel discussions and workshops and build cyber into the fabric of your agency.

The unfortunate reality is that people – not an absence of secure technology or policies – represent the greatest cybersecurity weakness. The best tools and processes simply aren’t enough to build a cybersecure organization. Building a cyber culture and mindset are the best defense in this journey toward cybersecurity.